Business email compromise (BEC) scams are on the rise; researchers at TD Bank say that BEC scams are the most common fraud method. The FBI says BEC scams are a "serious threat on a global scale" and reported that, between January 2015 and December 2016, BEC scams skyrocketed by 2,370 percent.
The headlines seem to support this. Just this month, one of the richest men in Australia lost $1 million after his assistant was fooled by an email address that had a one-character difference from his. A Nigerian man was sentenced to three year and five months in prison by a Manhattan District judge for his role defrauding businesses of more than $25 million via BEC scams. And hitting closer to home for us lawyers: a real estate lawyer in British Columbia lost $1 million as he followed what he thought were client email instructions to transfer funds overseas.
For online fraudsters, small firms and solo practitioners are low-hanging fruit, often poorly protected from cyber threats and scam artists. In this practice point, we outline what are the common BEC tactics and how not to be taken in.
Common BEC Tactics
Spoofing emails/websites. Fraudsters will vary legitimate email addresses and websites slightly to fool people into thinking they are authentic and make a request for transfer of funds. This is exactly what happened to the Australian multi-millionaire as well as the lawyer from BC. The method is frequently called "CEO spoofing" as a perpetrator will often pretend to be the CEO/CFO and instruct the accountant to release funds.
Spear-phishing. These are bogus emails believed to be from a trusted sender in order to fool victims into revealing confidential information, such as account numbers or credit card information. These emails can look very legitimate, asking you to fill out a survey, or pretending to be from a bank or other well-known institution advising you of an account issue.
Malware. Malicious software that allow undetected access to a victim's data, including passwords and financial account information. It can also be used to study an organization's billing systems, vendors, and even the executives' style of communication or travel schedule in order to pick the right time to send a spoofing email.
What can you do to protect your firm? Here are some tips we've collected from various experts:
• If you're transferring funds abroad, make sure it is to the right party.
• Be vigilant when participating in LinkedIn networks (where your email and profile is readily viewable).
• Educate staff not to open infected PDF or Word attachments in emails and be cautious of what is being inserted into computer drives.
• Colour code or flag when emails are sent from an external email address.
• Have face-to-face or voice-to-voice communications to confirm payment requests, especially when requests are made via email claiming to be from a company executive or are out of the ordinary (such as, requests expressing urgent fund transfer needed).
• Flag email communications where the "reply" email address is different from the "from" email address shown.
• Use longer, more complex passwords and never reuse passwords for multiple accounts.
• Back-up your data regularly, and make sure you have at least three different copies in separate locations.