Business Email Compromise Schemes
By posing as high level executives, phishers have stolen millions of dollars from organizations large and small through Business Email Compromise (BEC) schemes.
A BEC scheme typically targets companies working with foreign suppliers and companies that regularly perform wire transfers.
To avoid spam filters, the emails in BEC schemes are not mass-emailed. Instead, they are sent to only a few employees—usually employees who regularly perform wire transfers, like CFO’s, financial directors, or accountants.
BEC phishers conduct extensive research to make their emails more believable. They will try to determine who initiates wires, who requests them, and when they typically occur. They may even find out your company’s financial processes. Then, they wait for the perfect opportunity, like a change in leadership in the finance department or a CEO traveling overseas. BEC phishers typically instruct their targets to act quickly or in confidence when transferring funds.
BEC phishing emails often use spoofed email addresses, authentic signatures, and logos to look more credible. Even if the message looks like it was sent by someone in your organization or a known vendor, it may not be legitimate. Many BEC phishing emails don’t include links or attachments. These attacks begin with an email that engages the target in conversation known as a knock-knock email. If the target responds, the attacker continues to manipulate the target until they get them to transfer the requested funds or hand over confidential information. BEC attacks also make last minute change requests to existing wires, with the hopes that you will not verify this request and wire is transmitted per their request!
Even if you receive an email that looks legitimate, you should still use caution. Keep these three tips in mind when you receive an email requesting a new wire or change to an existing wire transfer.
- Be skeptical of urgent requests (new wires or changes to existing wires) that do not follow typical company procedures and policies.
- Always VERBALLY verify that emails requesting a wire and/or making changes to an existing wire with a quick phone call to a known number.
- Look at the domain name. Although some phishers spoof a company’s email address, other phishers register domains that are slightly different than the real domain. For example, if the target company’s domain was “@example.com”, the phishers may register “@exemple.com” or “@example.co”.
If anything seems suspicious, don’t take the bait. It’s best to be certain before initiating a wire transfer. Also, be sure to report all phishing incidents related to wire transfers to firstname.lastname@example.org.