VIEW ALL EDUCATION & INSIGHTS
October 16, 2015
The New Scam on the Block: Business Email Compromise
Email is the default communication method for business because it’s quick, easy, inexpensive, and breaks down geographic barriers. But as email has grown in use and popularity, criminals have been quick to fill our inboxes with spam, Nigerian email scams, phishing messages, and—exceedingly popular— business email compromise messages.
What is business email compromise?
Business email compromise occurs when a fraudster sends a spoofed email to a business email account requesting that money be wired to a bank account he or she controls. These spoofed emails can appear to come from a vendor, senior executive, or someone with approval to release funds. If the recipient believes the email to be legitimate, it can result in enormous losses for the company.
In August, technology company Ubiquiti Networks fell for the scam, incurring losses to the tune of $46 million dollars. Employees of the company believed that emails they received from the “CEO” were legitimate and released funds to pay invoices created by the criminal.
What’s law (enforcement) got to do with it?
In January, the FBI announced that business email compromise scams had resulted in over $1 billion in reported losses in 2014, and provided resources to help businesses protect themselves. The sad truth of the matter is that many of these scams originate in places where US law enforcement has no reach or influence, so criminal prosecution or the recovery of funds is the exception, not the rule.
That’s why you need to do everything in your power to safeguard your business against fraud and email business compromise.
So how do you protect your business?
Because fraud is so pernicious, wide-reaching, and devastating, it may seem like a herculean task to mitigate it. But there are quick and easy ways to prevent your company from falling victim to this expensive crime:
- Confirm email wire transfer requests by a second channel. If the “CEO” wants you to wire money, a quick phone call to his or her office can confirm whether the request is legitimate.
- Trust your gut. Many scams are outside of the normal routine. If a vendor always sends in an invoice at the beginning of the month and this request comes in the middle of the month, it should raise a red flag. If the “vendor” changes the wiring instructions, that should also raise a red flag. If something feels off about the request, do your homework before wiring any funds. Remember the old adage: better safe than sorry. And it’s so true.
- Involve your technology experts in the process. Spoofed emails leave clues behind like a near-invisible trail of bread crumbs. But your technology experts know what they’re looking for, and they can determine whether the email is actually from where it claims to be from.
The mounting technological savvy of fraudsters may seem intimidating, but preventing business email compromise really boils down to two simple things: common sense and awareness. All you have to do is pay attention.
Nathan Horn-Mitchem is Provident Bank’s Information Security Officer. With more than a decade of experience, Nathan’s a bona fide expert in his field. He holds a CISSP (Certified Information Systems Security Professional) certification. In addition to keeping the bank safe, he enjoys watching college basketball and spending time with his kids.