Business Email Compromise: Be Prepared!

David Ries, Melissa Ventrone
Clark Hill PLC
Contact
LinkedIn
Facebook
X
Send
Embed

Business Email Compromise (BEC) is a growing cybercrime epidemic, with staggering losses to businesses and organizations of all sizes.

BEC is a scheme in which an attacker uses fraudulent email to impersonate an executive, business contact or other person to get a transfer of funds, money or sensitive information.

On July 16, 2019, the U.S. Treasury Financial Crimes Enforcement Network issued an advisory to financial institutions, which reported that BEC schemes had caused over $9 billion in losses to U.S. financial institutions and their customers since 2016. The FBI’s Internet Crime Complaint Center (IC3) 2018 Internet Crime Report (April 2019) reported that IC3 received 20,373 BEC complaints in 2018, with adjusted losses of $1.2 billion. The FBI issued a Public Service Announcement in July 2018, which reported 78,617 domestic and international incidents of BEC between October 2013 and May 2018, with $12.5 billion in exposed dollar loss.

BEC takes multiple forms. It sometimes involves spearphishing (fraudulent, targeted email) that appears to be from a business executive, business contact, or party to a transaction. It can also involve a fraudulent email from a legitimate email account to which a criminal has obtained access by social engineering or a computer intrusion. When BEC involves the takeover of a legitimate email account, it is called Email Account Compromise (EAC).

A common form of BEC is fraudulent wire transfer instructions, like a fraudulent email, appearing to be from a CEO or other senior official (COO, CFO, etc.), with instructions to immediately pay “a vendor,” or appearing to be from a vendor, with new wire transfer instructions to a criminal’s account. A variation is an email that appears to be from the attorney or real estate agent for a seller, with fraudulent payment instructions for the proceeds of a real estate sale or to a buyer to “hijack” the wire transfer of the payment of the purchase price. Another common example is the W-2 scheme, in which a fraudulent email, appearing to be from a corporate officer, directs an employee in payroll to send copies of W-2 tax forms to him or her by email. The information from the W-2s is then used to get refunds from fraudulent electronic tax returns. In schemes involving EAC, the fraudulent emails may be sent from legitimate accounts.

Businesses and organizations can best prevent BEC/EAC and mitigate losses, if they occur, by:

  • adopting policies and procedures (like verifying and reconfirming payment instructions or changes and information requests – other than just by email – and prompt reporting of phishing attempts and security incidents),
  • conducting ongoing security awareness training, including reminders,
  • implementing security technology (like spam filters, external email flags, and use of secure email), and
  • implementing incident response and prevention plans for BEC/EAC. Incident response plans should include steps like (1) notifying management, the bank, data breach counsel, the FBI and its Internet Crime Complaint Center (IC3), other law enforcement, and insurance carriers, (2) containing any compromise, by, for example, conducting a global password reset and checking for any suspicious email rules, and (3) preserving evidence.
Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Clark Hill PLC | Attorney Advertising

Written by:

Clark Hill PLC
Clark Hill PLC
Contact
more
less

Clark Hill PLC on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide