Identity theft is now a major risk for corporations – not just individuals like you and me. The F.B.I. has recognized what are commonly called “business email compromises” (BEC) as among the most sophisticated financial frauds. Last year, the agency highlighted BECs as an “emerging global threat.”
What Are Business Email Compromises?
In short, they’re scams. You receive what appears to be an authentic internal email from a senior executive or administrator requesting a wire transfer of large sums of money. As of February 2016, more than 7,000 United States companies had been victimized by similar fraud schemes, with losses estimated at more than $740 million.
Why Are Scammers So Effective at BEC?
Scammers are targeting large companies and corporations to submit wire transfers of large amounts of funds that appear to come from within the company. The fraud occurs when internal officers’ accounts are hacked and the hacker assumes their identity. The scammers are extremely sophisticated – they research company logos, executives, their email accounts and even their personal schedules to find out when they’re out of the country. The scammer then communicates with another employee and deceives them into confirming or implementing the wire transfer.
What Types of Requests Should Raise Suspicions?
Be aware of the following types of emails:
- Requests for amounts that are unusual to your practice, either too low or too high
- Requests to new or unknown beneficiaries / recipients
- Unexpected changes or alterations in established client information or payment details
- Unexpected changes or alterations in established internal protocols and procedures
8 Ways to Lower your Risk of BEC Fraud Schemes
The F.B.I. has noted factors to keep your risk lower and awareness and security heightened:
- Verify changes in vendor payment location and confirm requests for transfer of funds.
- Be wary of free, web-based e-mail accounts, which are more susceptible to being hacked.
- Be careful when posting financial and personnel information to social media and company websites.
- Regarding wire transfer payments, be suspicious of requests for secrecy or pressure to take action quickly.
- Consider financial security procedures that include a two-step verification process for wire transfer payments.
- Create intrusion detection system rules that flag emails with extensions that are similar to company email but not exactly the same. For example, .co instead of .com.
- If possible, register all Internet domains that are slightly different than the actual company domain.
- Know the habits of your customers, including the reason, detail and amount of payments. Beware of any significant changes.
While most of the members of your information technology team likely know these rules, ensure that your entire company is educated on these as well. Remind your organization to often change their passwords and teach them which password types are the most secure.