Tips to Protect Your Company from Email Fraud
Business email attacks are more pervasive and sophisticated than ever. The growing threat of a “business email compromise” (BEC) has prompted FBI alerts and leaves tech companies of all sizes at risk of catastrophic losses.
Cybercriminals have perfected social engineering emails that trick even the most vigilant employees into being duped. The number of companies falling victim to BEC scams and the associated losses have been skyrocketing year over year.
"The FBI issued a public service announcement to help combat BEC"
To size up the number of incidents, the FBI reported more than 40,000 BEC incidents – resulting in $5.3 billion in losses – between 2013 and 2016. Last year, the FBI issued a public service announcement to help combat BEC. Despite efforts from law enforcement agencies, BEC attacks are projected to exceed $9 billion in 2018.
Your company may be vulnerable
This form of email fraud is deceptively simple. The intent of the scam is to prey on the convenience of email and the goodwill of your employees who think they may be doing the right thing but fall right into the fraudster’s trap. Typically, BEC is triggered by a fraudulent email sent to your company’s payments team. It appears to be sent from a legitimate contractor, supplier, creditor or even a senior executive at your company.
Examples of what to watch for:
- The email appears to come from a high-ranking executive, even the CEO, at your company asking that an urgent payment be made. This is often accompanied by a request for secrecy and directs the recipient not to discuss the matter with anyone else.
- An email or forged letter arrives from a supplier advising that its account numbers have changed, and instructs all future payments be sent to the new account.
It can be difficult to detect this type of fraud since cybercriminals make it appear that the email is from a known contact, also known as “spoofing”. Fraudsters may even hack into the actual email account of the sender to make the fake request.
Cybercriminals are continually adapting their tactics to circumvent outdated technologies and exploit vulnerable processes and untrained employees. The FBI says that scammers may spend weeks or months studying an organization’s vendors, billing systems, and your executives’ email communications style. They have even tracked executives’ travel schedules, with the expectation that an employee won’t easily be able to confirm a request with someone on the road.
Checklist – How to protect yourself
- Increase employee training and awareness is the number one thing you can do to prevent becoming a victim.
- Make your payments team and others who process client requests aware of BEC. They are your first line of defense.
- Verify the authenticity of a wire request directly with the person who appears to be making the request, either in person or by phone.
- Don’t reply directly to the email.
- Use a trusted phone number. Don’t use any numbers or other contact information included in the email.
- Be wary if the request contains language such as “urgent, immediately, HIGHLY sensitive” – especially if that language is out of the norm.
- Create an email rule to flag email communications where the “reply” email address is different from the “from” email address.
- Verify changes in vendor payment location by adding “dual-control”, such as a secondary sign-off process.
Silicon Valley Bank offers preventive tools, services, and guidance to help you mitigate your risk of BEC and other kinds of fraud. Visit our Fraud Prevention Center to learn more.
Finally, always alert your SVB representative if you think you may be a victim of BEC or other types of fraud.