Business Email Compromise (BEC)- What You Need to Know
According to The FBI, Business Email Compromise (BEC) resulted in $12B in losses and complaint filings, between October 2013 and May 2018. In 2018 alone, the total loss due to reported BEC scams was $1.2 billion. Most recently, a Toyota subsidiary acknowledged that on August 14th of this year, they lost $37M when an employee unknowingly transferred money to a cyber criminal.
Toyota has not presented a great level of detail about how this BEC scam took place, but based on our experience, it probably happened like this;
- An attacker gains access to a corporate email account through a phishing attack. The end user mistakenly provides their login credentials in response to a spoofed email.
- The cyber criminal puts certain rules into place within the compromised email account (generally that of an executive or somebody with ties to finance) and then email others, either within or outside the organization.
- The email (e.g.. from the CEO to the Controller) explains that a large wire transfer is required, oftentimes under the guise of paying a vendor. The scammer may also claim to be the vendor, and state that their bank routing information has changed.
- The recipient of the email wants to please their boss, and as the boss claims to be in a meeting “so you can’t call me”, they wire the funds as requested.
Whether it’s a $37M transfer from a global provider of car parts, a $2M payment by a church to a construction company, or $1.7M hit taken by a county government, the loss can be devastating. The Toyota subsidiary has acknowledged that they may need to alter their earnings estimates, unless they can recoup any of the losses.
Avoid Being Victimized by BEC
What steps can you take to make sure that your organization doesn’t get hit with business email compromise? First, your entire organization, from CEO all the way down, should go through annual security awareness training. A good training session will cover the current threats, how to spot them, and how to avoid them. There are even tools on the market which can be used to test which of your employees present the biggest risk to your corporate IT ecurity.
Secondly, when it comes to BEC, you should have a corporate hierarchy in place that makes it so that no one person controls the keys to the castle, so to speak. If funds are being wired or bank routing information is changing, there need to be checks and balances in place.
Thirdly, your organization should be using multibusinessfactor authentication (MFA) to access your email accounts and your corporate network. Yes, it’s an additional step in logging on, but it stands to save you millions in the long run.
For more information on BEC, security awareness training, or multifactor authentication, call Ashton Technology Solutions at 216 397-4080.