FBI Data Shows 270% Increase in BEC Scams

It is getting more and more critical to educate employees on the various types of cybercrime and there is a good reason for it. According to a report by APWG (Anti-Phishing Working Group), both consumer-based phishing and spear-phishing (targeting employees of businesses) increased in the first three quarters of 2015 and shows no signs of slowing.

The most common form of phishing is now the Business Email Compromise (BEC) scam. This is when employees of a particular business, generally those who have authorization to wire money from the company’s financial accounts are targeted. Data from the FBI has shown this type of scam has increased 270% throughout 2015 and adds up to more than $1.2 billion in losses.

Typically the employees in the crosshairs of the scammers will receive an email that appears to be from an executive, or some other authorized employee, of their companies requesting money be transferred to some account. Often the money is to be sent outside the country.

It is difficult to identify these types of attacks, but there are warning signs. Usually, the request is presented to the employee as urgent and it cannot wait for the process of getting additional approvals. In addition, the sender’s email address is spoofed; meaning it appears to be from the legitimate company at first glance, but with closer inspection it is not the same.

Therefore, anyone who is authorized to perform wire transfers should use extra caution when receiving requests.

• Check the email address, and then check it again to make sure it truly is from someone who can authorize such transactions. Often fake domains are used that are so close to the spoofed one that it is hard to see. Sometimes they have just one or two letters that are different. Sometimes they will replace the letter “L” with a number "1" or the letter “O” with a zero, for example.

• Verify again that the request is legitimate. Do this preferably via telephone, but alternatively by sending a brand new email message (not a reply) back to the requestor. You will find out very quickly if it’s a scam if you do this.

• Follow a process of getting multiple approvals before a wire transfer is allowed. If there is no process for this, create one, follow it, and ensure it is enforced.

No company is immune to cybercrime. Businesses of all types and sizes are vulnerable. Therefore, providing continuous education to employees about cybercrimes and how to identify the various forms of social engineering and phishing is highly beneficial. This type of crime is always evolving. Staying on top of it is paramount to avoid becoming another figure in the statistics.

© Copyright 2016 Stickley on Security