Close
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Applications
    • Applications
    • Cloud
    • Cybersecurity

    FBI Crime Report Lists Business Email Compromise as Top Scam

    By
    Wayne Rash
    -
    April 25, 2019
    Share
    Facebook
    Twitter
    Linkedin
      FBI.scams

      When the FBI released its 2018 Internet Crime Report on April 22, one topic appeared as the very first of the hot topics that should give business leaders reason to pause. There, as the first of the report’s hot topics, was Business Email Compromise. This is a type of scam that’s specifically aimed at businesses or other organizations that depend on employees’ unquestioning obedience to their supervisors.

      The way the Business Email Compromise scam works is that the criminals create an email that appears to be real, which then directs someone in the financial departments of the target organization to send a large payment, usually via a wire transfer, to an account owned by the criminals. But as you might expect, there’s a lot more to it than that.

      First, the scammers pick out a victim. Normally it’s a company (or sometimes a non-profit) that has a large enough staff that there’s a hierarchy of responsibilities. Beyond that, the size of the business doesn’t necessarily matter, as is demonstrated by the FBI statistics that show businesses of all sizes being targeted.

      Once the target organization is selected, the scammers go to work studying the operations and the staff of the company. They will use public information to determine who the senior executives are, what their contact information is and who reports to them. It’s not unusual for the scammers to either penetrate the company email system or to use a partner organization to provide details about the target.

      Scammers Look for When Execs Travel

      By looking at the internal emails, the scammers will learn about the company procedures, preferred partners and any details they think will help with the next step. Then they will look for information, either public or in emails, to learn the movements of the organization’s senior executives. Then, normally when the CEO is on travel, they strike.

      “There’s usually an urgent email from the CEO or CFO asking for an immediate transfer of funds,” explains Colin Bastable, CEO of Lucy Security. Normally, the request appears in an email that looks authentic to the receiver, who will be someone in a position to carry out the transfer. The email will give a supposed purpose for the transfer, such as an unexpected acquisition. And it will provide details for a wire transfer. The email will stress the immediacy and the need to keep the action secret.

      Because the scammers have been studying the company and its staff for a while, the email will usually contain references that seem to establish legitimacy, such as references to some personal fact or activity. And the tone will resemble language usually used by the senior executive. Only later will you find out that it was a scam and that your money is in the hands (or at least the bank account) of the scammers.

      Normally a spear-phishing attack precedes the actual attempt to steal the money, and in some cases, the attackers also implant malware into the company network that can monitor activity. That malware also likely got there during a phishing attack. That attack may also have been able to retrieve credentials necessary to get into the network remotely.

      Once the actual attack starts, there are a few things you can do to prevent the attackers from being successful, and those mostly boil down to procedures you plan in advance and security systems you should have in place.

      Procedures to Put in Place

      The security systems should include capabilities such as intrusion detection and encryption of sensitive data, which includes the business phone directory. You should also be able to monitor the activities of anyone who attempts to gain access to protected information of protected areas of your network.

      But you also need to have procedures in place to keep the funds transfer attempt from being successful. Here are the steps you need to consider:

      • Have the CEO and CFO buy-in for any procedures you set up, and have them agree not to punish employees who refuse to break the rules.
      • Set up a procedure for approving unexpected payments. The procedure should include a requirement for confirmation of the transaction through some means other than email. For example, a confirmation call should take place to the CEO’s cell phone, and it must be to a number that you already have, not to one provided in the email asking for the transfer.
      • Establish a code word that must be said before any transfer can take place. This prevents an imposter from calling in with a spoofed caller ID from posing as the CEO.
      • Be skeptical of any unplanned transfer of large sums of money, especially if it must be done immediately. There’s almost nothing in terms of legitimate business activity that can’t wait for a day or two. Inability to contact the CEO or CFO should not be taken as a reason to approve a payment. The criminals will probably know when your executives are airborne on a long flight where they can’t be reached.

      Bastable says that training is critical in avoiding such attacks. This means that you must conduct simulated attacks as part of your normal activities. Bastable said that his company can provide such training. You can also find simulated phishing emails intended to carry out a simulated Business Email Compromise at KnowBe4. That company will also let you preview its training modules. Regardless of how you do it, security awareness training is crucial to keep your organization from falling victim to these attacks.

      Fortunately, there’s some light in the darkness. The FBI has put together a Recovery Asset Team that’s been successful in getting back about 75% of the money that’s been stolen in such schemes. But that depends on letting them know as soon as you know you’ve been compromised. Make that part of your procedures, too.

      Wayne Rash
      https://www.eweek.com/author/wayne-rash/
      Wayne Rash is a freelance writer and editor with a 35-year history covering technology. He’s a frequent speaker on business, technology issues and enterprise computing. He is the author of five books, including his most recent, "Politics on the Nets." Rash is a former Executive Editor of eWEEK and a former analyst in the eWEEK Test Center. He was also an analyst in the InfoWorld Test Center and editor of InternetWeek. He's a retired naval officer, a former principal at American Management Systems and a long-time columnist for Byte Magazine.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.

      MOST POPULAR ARTICLES

      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Applications

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      IT Management

      Intuit’s Nhung Ho on AI for the...

      James Maguire - May 13, 2022 0
      I spoke with Nhung Ho, Vice President of AI at Intuit, about adoption of AI in the small and medium-sized business market, and how...
      Read more
      Applications

      Kyndryl’s Nicolas Sekkaki on Handling AI and...

      James Maguire - November 9, 2022 0
      I spoke with Nicolas Sekkaki, Group Practice Leader for Applications, Data and AI at Kyndryl, about how companies can boost both their AI and...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×