The FBI last week published a public service announcement updating its warnings about the continuing threat of business email compromise (BEC, also called CEO fraud). The problem has reached shocking proportions: between June of 2016 and December of 2021, the Bureau counted 241,206 domestic and international incidents of business email compromise. The “exposed dollar loss” (which includes both actual and attempted losses) is the real shocker: $43,312,749,946, more than forty-three-billion dollars.
At its root, BEC is a social engineering problem. “The scam is frequently carried out when an individual compromises legitimate business or personal email accounts through social engineering or computer intrusion to conduct unauthorized transfers of funds,” the FBI explains. Some of its variants don’t necessarily involve a direct, unauthorized transfer of funds. The crooks also look for “Personally Identifiable Information, Wage and Tax Statement (W-2) forms, or even crypto currency wallets.”
And the problem is growing worse. “Between July 2019 and December 2021, there was a 65% increase in identified global exposed losses.” Part of the increase may be attributable to the growing use of cryptocurrencies, which are well adapted to fast funds transfers and have a reputation for anonymity. “The IC3 has received an increased number of BEC complaints involving the use of cryptocurrency. Cryptocurrency is a form of virtual asset that uses cryptography (the use of coded messages to secure communications) to secure financial transactions and is popular among illicit actors due to the high degree of anonymity associated with it and the speed at which transactions occur.”
The public service announcement offers some suggestions businesses might follow to protect themselves. Some of them involve instituting sound policies, like using “secondary channels or two-factor authentication to verify requests for changes in account information,” or seeing to it that “the settings in employees' computers are enabled to allow full email extensions to be viewed.”
Many of them, however, are matters of training:
- “Ensure the URL in emails is associated with the business/individual it claims to be from.
- “Be alert to hyperlinks that may contain misspellings of the actual domain name.
- “Refrain from supplying login credentials or PII of any sort via email. Be aware that many emails requesting your personal information may appear to be legitimate.
- “Verify the email address used to send emails, especially when using a mobile or handheld device, by ensuring the sender's address appears to match who it is coming from.
- ”Monitor your personal financial accounts on a regular basis for irregularities, such as missing deposits.”
These, and other points, can be addressed in new-school security awareness training that can enable your employees to recognize business email compromise.