They look innocent. They look like emails originating from an executive to a CEO or from a CEO to a financier. In short, emails are more of a business nature. If your CEO sends you an email asking for details of your taxes, how likely are you to provide him with all the details? Do you give a thought as to why would the CEO be interested in your tax details? Let us see how Business Email Compromise happens, how people are taken for a ride, and a few points later on how to deal with the menace.
Business Email Compromise
Business Email Compromise scams usually exploit vulnerabilities in different email clients and make an email look as if it is from a trusted sender from your organization or business associate.
Estimated Loss during the last three years due to Business Email Compromise
Between 2013 and 2015, businesses across 79 countries were duped – US, Canada and Australia being on the top. The data of 2015 to 2016 is not yet in but might have increased, in my opinion – because cyber criminals are more active than ever. With things like email spoofing and IoT ransomware, they can make as much money as they want. I’ll not cover ransomware in this article; will just stick to BEC (Business Email Compromise).
In case you wish to know how much money was swindled from the 79 countries during 2013 to 2015, the figure is…
…from 22 thousand business houses across the 79 countries! Most of these countries belong to the developed world.
How does it work?
We spoke about email spoofing earlier. It is the method of rigging the sender’s address. Using vulnerabilities in different email clients, the cyber criminals will make it look as if the email is from a trusted sender – someone in your office or someone from your clients.
Other than using email spoofing, the cybercriminals sometimes actually compromise the email IDs of different people in your office and use them to send you mail that would look like it is coming from an authority and that it needs priority attention.
Social engineering too, helps in getting out the email IDs and then, business details and business money. For example, if you are a cashier, you might receive an email from the supplier or a call asking you to change the method of payment and to credit future amounts to a new bank account (that belongs to the cybercriminals). Since the email looks like it is coming from the supplier, you will believe it instead of cross-checking. Such acts are called invoice rigging or bogus invoice scams.
Likewise, you may get an email from your boss asking you to send him your bank details or card information. The criminals can cite any reason like they’re going to deposit some cash in your account or card. Since the email comes from or looks like coming from the boss, you won’t give it much thought and would reply to it as soon as possible.
Some other cases have been detected where a CEO of a company sends you an email asking you for your colleagues’ details. The idea is to use the authority of others to scam you and your business. What will you do if you receive an email from your CEO that says he needs some funds transferred to a certain account? Would you not follow the related protocols? Then why did the CEO bypass them? As I said earlier, cybercriminals use the authority of someone in your business to pressurize you into giving up crucial information and money.
Business Email Compromise: How to prevent?
There should be a system that can look for certain words or phrases and based on the results, can classify and remove false emails. There are some systems that use the method to divert spam and junk.
In the case of Business Compromise Scams or CEO Frauds, it becomes difficult to scan and identify fake emails because:
- They are personalized and look original
- They are originating from a trusted email ID
The best method to prevent business email compromise is to educate the employees and ask them to make sure that the related protocols are being forwarded. If a cashier sees an email from his boss asking him to transfer some funds to a certain account, the cashier should call the boss to see if he really wants funds transferred to the seemingly alien bank account. Making a confirmation call or writing an extra email help the employees in knowing if certain things are actually to be done or if it is a fake email.
Since each business has its own set of rules, the people concerned should check if the relevant protocol is being followed. For example, it might be required that the CEO has to send an email to both the finance department and the cashier if he needs money. If you see that the CEO contacted the cashier directly and had not sent any voucher or letter to the accounting department, chances are high that it is a fake email. Or if there is no statement as to why the CEO is transferring money to some account, there is something wrong. A statement helps the accounting department in balancing the books. With no such statement, they can’t create a proper entry in the office ledger.
Other things you could do are – Avoid free web-based e-mail accounts and be careful what is posted to social media and company websites. Create intrusion detection system rules that flag e-mails with extensions that are similar to company e-mail.
Thus, the basic and most effective method to prevent business email compromise is to stay alert. This translates into educating staff about possible problems and how to cross-check etc. It is also a good practice not to discuss business details with strangers who have nothing to do with the business.
If you are a victim of this type of email scam you may want to file a complaint with IC3.gov.