By Maitjian Welke, Founder & Owner, CMIT Solutions
In late January, the FBI and the Internet Crime Complaint Center released a public service announcement about the recent proliferation of Business Email Compromise (BEC). Defined by the FBI as a “sophisticated global scam targeting small to large businesses,” BECs affected more than 2,000 victims worldwide in 2014, while inflicting upwards of $200 million in fraudulent losses. The FBI added that “with high confidence” they expect “the number of victims and the total dollar loss will continue to increase.”
What’s scariest about the particular strain of Business E-mail Compromise the FBI identified last year is how it meticulously it was undertaken: cybercriminals would reportedly “monitor and study” their selected victims prior to initiating the scam. Then, they would send phishing or ransomware requests that would allow the email accounts of high-level business executives or accounting personnel to be hacked or spoofed; those accounts would then send out legitimate-looking requests for immediate wire transfer to suppliers and other associates.
The FBI identified several other common characteristics of Business Email Compromise to watch out for: Businesses and personnel using open-source email face the biggest threat
- Besides executives, individuals responsible for financials are most targeted
- Spoofed emails very closely mimic a legitimate email address
- Personal email accounts get hacked more than business addresses
- Fraudulent requests for money transfers are well-worded and specific to thebusiness being victimized, including asking for appropriate dollar amounts
- Fraudulent messages often coincided with business travel dates for executives whose emails were spoofed
- Meticulously check addresses, subject lines, and body copies for any discrepancies
So what can you do to protect yourself and your business? Here are 5 strategies that CMIT Solutions recommends:
A fraudulent email account may be only one letter off from a legitimate one — or a single word may be spelled wrong in the email message itself. Either way, noticing from the get-go may save a lot of trouble.
Validate ANY link in ANY unfamiliar email before clicking on it
Hover over or right click all links and look for a legitimate URL that matches the one the email came from — not long strings of jumbled numbers or letters. All it takes is one click on one bad link by one employee to compromise the data of your entire company.
Do not open ANY email or attachment from ANY sender you don’t recognize
Last year’s CryptoLocker virus spread primarily through malicious PDFs, audio files, and other attachments that computer users unwittingly clicked on. If you don’t know the sender and aren’t expecting a file, don’t click on it!
Avoid using free, web-based email for business purposes
Establish a company website domain and use connected email accounts for all communications. Also, strongly consider a proactive monitoring solution, which should conduct regular malware scans and daily antivirus updates.
Mark any unsolicited email as spam or junk
If you have a strong firewall or monitoring solution backed by strong IT support, flagging suspicious-looking emails will help filter out future spam — and possibly alert security experts to spoofed or hacked accounts.