Scammers rely on busy work days and busy bosses when they blast off emails, hoping to bilk businesses and other organizations out of everything from gift cards to cash.
Since 2016, the emails, known as business email compromise (BEC), have resulted in the loss of $3 billion, an attempted $23 billion and, according to the Federal Bureau of Investigations, more loss than any other type of fraud in the U.S.
BEC is an email phishing scam that typically targets employees who pay bills in businesses, government and nonprofit organizations. The emails, crafted to look legitimate and from a reliable source, direct them to send money to bank accounts for administrators, partners, customers, employees or home buyers that actually lands in an account controlled by the scammer.
The scam is such an ordeal that the Better Business Bureau has conducted a special investigative study, “Is That Email Really From ‘The Boss?’ The Explosion of Business Email Compromise (BEC) Scams,” released earlier this month.
The 12-page study defines the components of BEC scams and describes how they work and the primary entities carrying them out. It outlines how businesses and organizations can avoid scams and respond when one occurs. And it includes several pullout boxes with stories from a chief executive officer, realtor and local business.
As stated in the study, BEC fraud is a serious problem, tripling over the last three years and seeing a 50 percent increase in the first three months of this year compared with the same time period in 2017. To put it in perspective, 80 percent of businesses received at least one of these emails in 2018. The success rate, though, is low—Agari, an email security solutions provider, reports it as once for every 300 attempts, but money still can be made.
To thwart scammers, businesses need to improve internet security and increase general awareness. They are advised to invest in IT precautions and cybersecurity to prevent phishing emails and train staff on how to recognize and avoid responding to them.
The BBB study provides several recommendations, including:
- IT and Technical Precautions: Require multifactor authentication, such as sending a text message with a log-in code. Change email settings to flag emails with warnings when they come from outside an organization. And limit the number of incorrect logins before an administrator needs to be contacted.
- Culture/Training: Confirm requests by phone or in person before sending money or following through with a transaction, but simply confirming through email or text is not enough. Verify changes in customer, employee and vendor information that fraudsters may have altered to be able to engage in criminal behavior.
- Insurance/Malpractice: Purchase cyber insurance, though most policies exclude coverage for social engineering losses. Riders that cover social engineering are available at an extra cost.