When an accounts payable employee at a small manufacturing company received an urgent email from the firm’s CEO to wire a significant amount of money immediately to an unfamiliar account, her urge to confirm the details was waylaid when informed in a follow up email that the funds were needed for an acquisition that must be completed with haste or the opportunity would pass. After $250,000 was wired, it was discovered that the CEO was not the source of the request; his email account had been taken over by a fraudster who disappeared with the funds.
Business Email Compromise is a type of fraud perpetrated via email in which a business is tricked into transferring funds to accounts controlled by the criminals or handing over sensitive data, such as employees’ names, addresses and Social Security numbers. While scammers target businesses of all sizes, small businesses often lack the scale or the resources, for a sophisticated cybersecurity program. However, small businesses are not defenseless. These basic precautions can help to prevent Business Email Compromise.
Business Email Compromise, or BEC, occurs when someone falsifies a legitimate email address to authorize the disclosure of sensitive information or the transfer of funds to accounts managed by criminals. The scammer either hijacks or spoofs (impersonates) the email account of an executive who is authorized to instruct other employees to initiate payments, such as wire transfers or an Automated Clearinghouse (ACH) transfer.
Sometimes, fraudsters impersonate legitimate vendors, and trick unsuspecting victims (businesses of all sizes) to re-route future payments to a different account, set up and controlled by fraudsters. Some reasons offered for the creation of new accounts include moving their business account to a different bank or because the account routinely used is undergoing an audit.
The employee believes the email instructions to be legitimate and completes the transfer of funds as requested, unknowingly depositing company funds into bank accounts controlled by the scammer.
All Business Email Compromise cases should be reported, no matter how small or large, to alert authorities to the activity. Report any online fraud or BEC activity to the Federal Bureau of Investigation’s Internet Crime Complaint Center. While a specific case may not be fully remediated, authorities gain more insight about patterns and attackers from multiple reports.
In addition, contact your financial institution if a fraudulent transfer is discovered in order to explore the potential for recalling the funds.
For more information regarding small business cybersecurity, visit the Federal Trade Commission website.
Types of attack
The scammer needs some critical information in order to successfully impersonate the executive’s or legitimate vendor’s real email account to initiate the fraudulent transfer of funds or data:
Spoof an email account or website
Using slight variations of a legitimate address fools a victim into thinking fake accounts are authentic, such as replacing a lowercase “L” in the company name with the numeral one (1). The cybercriminal can use such a spoofed email to request that a vendor’s bank account information be changed, for example.
Send spear phishing emails
A spear phishing attack is designed to trick employees into disclosing sensitive information or unknowingly providing access to a computer system by sending counterfeit messages that appear to be legitimate. A spear phishing campaign targets a specific individual or groups, such as employees of a specific company. Attackers can use information available in social media profiles to gain knowledge about a businesses’ workforce, organizational hierarchy, technology and communication channels, and target them with a phishing or social engineering campaign to acquire the sensitive information.
Use malware
Malicious software compromises company networks to access information about a business’ billing and invoice processes, which will be exploited by the scammer, or to gain undetected access to a victim’s data, including passwords and financial account information.
Vendor Impersonation Many of the vendor impersonation schemes involve contracts that are publicly awarded. Typically, Open Source information is available regarding successful bidders that can easily be impersonated via slightly altered websites, often using legitimate images, logos. etc., taken from the victim’s legitimate site. Email accounts often are also then set up using slight variations from the legitimate site/email. One such example might be a legitimate site using www.abctolls.com versus a fraudster site set up using www.abctoolsinc.com.
Email Account Compromise Criminals acquire valid credentials for a legitimate company email account. They subsequently email a customer of the company, often with new payment information. Any changes to payment information should be verified by another communication channel that is trusted and used prior to receiving this new payment email. The best defense against email accounts being compromised is to have multifactor authentication for email.
These articles are for general information purposes only and are not intended to provide legal, tax, accounting or financial advice. PNC urges its customers to do independent research and to consult with security, financial and legal professionals before making any financial decisions. This site may provide reference to internet sites as a convenience to our readers. While PNC endeavors to provide resources that are reputable and safe, we cannot be held responsible for the information, products or services obtained on such sites and will not be liable for any damages arising from your access to such sites. The content, accuracy, opinions expressed and links provided by these resources are not investigated, verified, monitored or endorsed by PNC.
Read a summary of privacy rights for California residents which outlines the types of information we collect, and how and why we use that information.