Oregon FBI Tech Tuesday: Building a Digital Defense Against Business Email Compromise—Report Immediately
Welcome to the Oregon FBI’s Tech Tuesday segment. This week: building a digital defense against what’s called the Business Email Compromise Scam.
We’ve talked about this kind of scheme before. The traditional scam starts with Company A, Company B, and the fraudster who jumps in between the two. The scammer uses an email address almost identical to the one used by a business executive at Company A as he communicates with a vendor or customer at Company B. The scammer is trying to convince Company B to route a payment into the scammer’s personal bank account instead of the Company A account. Usually the businesses have a long-standing relationship, and a request to have a big-dollar invoice paid by wire transfer doesn’t raise any flags.
In some cases, the bad guy actually hacks into the email account of the CEO or CFO at a victim company. This allows him to get in to read, receive, or send emails at will. As an added twist, he can set rules within the email account to automatically forward to himself any email that includes a particular keyword or is from a particular sender. The emails pass through the legitimate executive’s account in a virtual sense—but that executive may never even see them as they get deleted from his inbox immediately.
One of the biggest problems that we in law enforcement face in stopping these crimes is that people don’t report when they do realize they are victims—or they wait several weeks to report it. This time lag allows the bad guys to move and hide the money overseas before we even have a chance to stop the transaction through the banks.
So what can businesses do? Here are a few options:
- Avoid free web-based email accounts. Establish a company domain name and use it to create formal email addresses for your employees.
- Check the “rules” setting on your account periodically to ensure that no one has set up auto-forwarding for your emails.
- Be careful what you post to social media and your company website, especially information about who has which specific job duties. Also be cautious about using out-of-office replies that give too much detail about when your executives are out of the mix.
- Require two-factor verification for money transfers, particularly big ones. For example—you could require a telephone call to confirm significant wire transfers. Be sure to set up this protocol early in the business relationship and outside the email environment. When the fraudster hacks your email account, you don’t want him to be able to see how to evade your security protocols.
- Also, require your employees to use two-factor authentication to access corporate email accounts. They would need two pieces of information to log-in… something they know (such as a password) and something they have (such as a dynamic PIN that changes constantly).
- When confirming money transfer requests, don’t rely on phone numbers or email addresses embedded in the request. Look up the number from an external source when calling.
- Train your employees to watch for suspicious requests, such as a change in a vendor’s payment location.
- Train your employees to avoid clicking on links or attachments from unknown senders. Doing so could download malware onto your company’s computers, making you vulnerable to a hack.
If you have been victimized by this scam or any other online scam, contact the FBI immediately. You can file an online report at the FBI’s Internet Crime Complaint Center at www.ic3.gov or call your FBI local office.