Teach Your Employees to Recognize Business Email Compromise

The FBI published a public service announcement updating its warnings about the continuing threat of business email compromise (BEC, also called CEO fraud). The problem has reached shocking proportions: between June 2016 and December 2021, the Bureau counted 241,206 domestic and international business email compromise incidents. The “exposed dollar loss” (including actual and attempted losses) is the real shocker: $43,312,749,946, more than forty-three billion dollars.

At its root, BEC is a social engineering problem. “The scam is frequently carried out when an individual compromises legitimate business or personal email accounts through social engineering or computer intrusion to conduct unauthorized funds transfers,” the FBI explains.

Some variants don’t necessarily involve a direct, unauthorized funds transfer. The crooks also look for “Personally Identifiable Information, Wage and Tax Statement (W-2) forms, or even cryptocurrency wallets.”

And the problem is growing worse. “Between July 2019 and December 2021, there was a 65% increase in global exposed losses.” Part of the increase may be attributable to the growing use of cryptocurrencies, which are well adapted to fast funds transfers and have a reputation for anonymity.

“The IC3 has received an increased number of BEC complaints involving cryptocurrency. Cryptocurrency is a virtual asset that uses cryptography (the use of coded messages to secure communications) to secure financial transactions. It is popular among illicit actors due to the high degree of anonymity associated with it and the speed at which transactions occur.”

The public service announcement offers some suggestions businesses might follow to protect themselves. Some of them involve instituting sound policies, like using “secondary channels or two-factor authentication to verify requests for changes in account information” or seeing that “the settings in employees’ computers are enabled to allow full email extensions to be viewed.”

Many of them, however, are matters of training:

• Ensure the email URL is associated with the business/individual it claims to be from.
• Be alert to hyperlinks that may contain misspellings of the actual domain name.
• Refrain from supplying login credentials or PII of any sort via email. Be aware that many emails requesting your personal information may appear legitimate.
• Verify the email address used to send emails, especially when using a mobile or handheld device, by ensuring the sender’s address matches who it is coming from.
• Monitor your personal financial accounts regularly for irregularities, such as missing deposits.

These, and other points, can be addressed in new-school security awareness training that can enable your employees to recognize business email compromise.

Information in this article was provided by our partners at KnowBe4.