FBI Warning: What you don’t know about cloud-based email fraud can hurt you

A new variation of the “Business Email Compromise” (BEC) scam, cloud-based email account takeover, is becoming a threat to companies of all sizes. Since many companies have made the switch to cloud-based email, and with many more planning to do so in the near future, fraudsters have begun targeting these services via methods such as phishing emails, credential stuffing, stolen passwords, and brute-force attacks.

The cybersecurity landscape is continually evolving, and fraudsters are constantly devising new tricks to defraud businesses. Last year, I wrote an article detailing BEC fraud which exposes companies to great financial risk. If you haven’t already, you can familiarize yourself with the article here. Additionally, we recommend you read the updated FBI- Public Service Announcement on BEC released on September 10, 2019 by the Internet Crime Complaint Center (IC3), a division of the Federal Bureau of Investigation (FBI).

What Do Fraudsters Do Once They Have Access?

Fraudsters may steal your company’s confidential information or compromise the integrity of your customers’ information. Additionally, fraudsters may:
  • Read your incoming and outgoing emails.
  • Learn when you and your employees are out of the office.
  • Learn how your company communicates via email for the purposes of imitation.
  • Request fraudulent electronic payments (e.g. wires, ACH’s) to their own account.
  • Instruct your customers to send payments to their own account instead of yours.
  • Install malware on your computers.
  • Alter your email mailbox rules so that you are unable to detect their activity.

How Can You Protect Your Company from Email Account Takeover?

Companies that implement the following safeguards have been found to dramatically lower their risk of falling victim to cloud-based account takeover.
  1. Utilize Multi-Factor Authentication when logging in from outside the company’s network.Passwords alone are no longer enough security. Requiring users to utilize tokens or biometrics during the login process greatly strengthens security.
  2. Use a unique username and password for company accounts that aren’t used anywhere else. If this information becomes compromised at other sites, fraudsters will often attempt to use the same usernames and passwords to log in to other locations.
  3. Train staff to be wary of phishing emails and emails coming from people they know that suddenly display differences in writing styles. Some company IT departments even send out periodic “practice” emails to their employees to make sure employees are properly detecting red flags.
  4. Look out for suspicious links or attachments. Fraudsters may embed malicious software, or malware, in links and attachments that will infect the victim’s system.
  5. Utilize IBM® Security Trusteer Rapport®. This software works alongside your antivirus software to help keep your system secure.
  6. Limit administrative rights to those who need them. It is recommended to set up controls so that no single individual can affect all stages of a payment transaction and so that no employee has more access than the minimum they’ll need to properly perform their job function.
  7. Keep an archive outside the email server of all incoming and outgoing emails. This will make it easier to detect fraudulent emails if they occur. Additionally, set up alerts for interruption in email archiving so that you will know if unauthorized changes are made.

How Should You Respond If You’ve Been Attacked?

SVB recommends the following steps be taken if your business suffers an attack:
  • Contact your SVB Relationship Advisor immediately if you suspect unusual activity occurred on your SVB account.
  • Shut down or disable access to the compromised account until it is secured with a new, secure password. In the meantime, ensure that a secure email account is listed on your SVB profile.
  • As needed, consider hiring outside help with forensic investigations.
  • Determine whether sensitive company data was exposed.
  • Determine whether client information was exposed. If so, you may be required to notify them of the breach under federal or state law.
  • Ensure your system is free from malware and viruses and that your protection software is up to date.
  • Notify appropriate law enforcement agencies such as IC3 and/or your local FBI field office.

Silicon Valley Bank offers preventative tools, services, and guidance to help you mitigate your risk of fraud. Visit our Fraud Prevention Center to learn more. Be sure to view SVB’s Fraud Prevention Webcast, Understanding the Threat from Within: Internal Fraud, which also touches on this very important topic as well as addresses additional fraud prevention measures.
©2019 SVB Financial Group. All rights reserved. SVB, SVB FINANCIAL GROUP, SILICON VALLEY BANK, MAKE NEXT HAPPEN NOW and the chevron device are trademarks of SVB Financial Group, used under license. Silicon Valley Bank is a member of the FDIC and of the Federal Reserve System. Silicon Valley Bank is the California bank subsidiary of SVB Financial Group (Nasdaq: SIVB).

This material is provided for informational purposes only. The conclusions, ideas and recommendations shared in this article should not be seen or used as a substitute for your own company's fraud detection and prevention programs, or with obtaining your own independent assessment of such programs. The security of your operating system and your procedures for conducting banking transactions with us remains your responsibility. Silicon Valley Bank is not responsible for any cost, claim or loss associated with your use of this material.

The Internet Crime Complaint Center (IC3), a division of the Federal Bureau of Investigation (FBI) and IBM are independent third-parties not affiliated with SVB Financial Group.

IBM Security Trusteer Rapport® is an IBM software product offered by Silicon Valley Bank. IBM is solely responsible for the performance and maintenance of its product, as well as for related customer service and support.


About the Author

Rob is SVB's Deputy Bank Secrecy Act (BSA) Officer, responsible for fraud and anti-money laundering investigations. He has spent more than 20 years in banking focused on risk management, information technology, and decision science. Prior to joining SVB, Rob served as the manager of operations for Financial Crimes Investigations with Wells Fargo Bank.