As the leader of one of the nation’s only law enforcement units dedicated to business identity theft, I believe that crime is one of the biggest, and least known, problems facing American business people today. But that’s hardly the only big and unrecognized problem they face.
In addition to business identity theft, my unit in Colorado also investigates incidents of business e-mail compromise, a devastating crime that has cost U.S. victims $10.1 billion from October 2013 through July 2019, according to the FBI.
Not only is business identity theft a way for fraudsters to compromise you and your business’s good name, but fraudsters also target your business with business e-mail compromise. This pervasive scam in America today takes advantage of hard-working business folks trying to do a lot of things at once, including being attentive to their customers and the flow of their business. Thanks to the Internet and the widespread availability of critical, identifying information about businesses these scammers are poised to take advantage of enterprises across the country.
Please join me as I walk through the specifics of this crime and how to protect your business from it.
What is business e-mail compromise?
Business e-mail compromise is a sophisticated scam targeting businesses that regularly perform wire transfer payments. Cybercriminals who engage in these kinds of scams use phishing tactics to inject malware, spoof e-mail addresses or even send counterfeit vendor invoices via fax or email attachment. In all circumstances, however, the criminals contact a business’s employee and pretend to be a trusted source: A vendor, a customer, a home seller, a title company, another employee or even your boss.
Then the fraudsters move in for the kill. Through charm and information they’ve gleaned about your business, they convince your employee to change where your company wires money, almost always to a bank account they secretly control.
Now, with the destination bank account under the fraudsters control, they simply wait for the next time your business wires money to the vendor or customer the cybercriminals were impersonating. The funds from the transaction are then quickly dispersed to cash, or wired to other bank accounts inside and outside the country. The fraudsters then disappear with your money, leaving you with a huge loss while your vendor or customer is still owed funds.
Scams like this are particularly devastating to mom-and-pop establishments, because once the money is gone, it’s gone, with little to no recourse. From what I’ve seen, the reported losses from this kind of crime are quite high. In addition, these criminals hide behind the anonymity of the Internet and, for the most part, reach out and commit this crime from other countries. This makes it very difficult for law enforcement to track them down and bring them to justice.
But you should also know this: The available figures don’t even come close to capturing the full losses because companies rarely report being a victim of this kind of crime.
How do criminals trick employees in changing where money is wired?
By using the Internet to do their homework on your business. These criminals scour social media accounts and company websites, capturing information about your business and its relationships to others. This not only helps them pick a worthy target, but also gives them a convincing amount of information to impersonate a person or a business you already work with.
Fraudsters who engage in these kinds of scams are counting on their targets being busy and not taking the time to verify the identity of the person they’re corresponding with.
They figure if they can seem enough like someone your business already works with that your employee will change the bank account information without a second thought and move on with their day.
Sadly, I’ve seen this kind of trickery work all too often. And it’s not because employees are inept. It’s because these criminals are very good con artists, applying and using the wealth of information available about your business online.
Who is vulnerable?
Any business that engages in wire transfer payments is potentially a target, although certain kinds of businesses are particularly appealing to criminals:
- Title companies or any businesses that engage in a lot of real estate transactions
- Law offices
- Accounting or bookkeeping firms
- Government entities at the city, county or state levels that routinely deal with vendors
As the name implies, business e-mail compromise typically involves employees being contacted via e-mail – but not always. Cybercriminals may try to convince your employees to change bank account information via fax or even a phone call.
Any employee of your business can be targeted, but in my experience fraudsters sometimes like individuals who work in human resources or within the finance disbursement offices.
Also, don’t think scammers will only contact your employees through their business e-mail accounts. Through their online research, these cybercriminals often figure out employees’ personal e-mail addresses and contact them there as well.
What can I do to protect my business?
Protecting your company is not complicated – but, I’ll be honest, it takes work and education, education, education. The two key things you must do is train your staff about the warning signs of business e-mail compromise and establish policies about the circumstances under which you will permit employees to change bank account information.
The most important thing you can train your employees to do is slow down when they receive a request to change where your business wires money. Make them aware of how easy it is for cybercriminals to trick you. Typically such criminals make their requests from e-mail addresses that closely resemble the legitimate e-mail addresses of your trusted sources, only a letter may be transposed or an underscore added.
Other common tricks are replacing lower case Ls with the No. 1 or using the letters “rn” instead of “m” or exchanging “.com” for “.net” in e-mail addresses.
The bottom line is you want to train your staff members to first verify that the request to change bank accounts is actually coming from your trusted source. That means your employees should go back to the source’s original contact information. I would recommend calling an original sourced phone number to verify this change request.
Remember: Even if you were to e-mail your trusted source, the fraudsters may have hacked his or her account.
Other warning signs your employees will want to watch out for include e-mails with strange grammar or that arrive at odd times of the day or that insist a bank account change must be made immediately.
As for your internal policies, you need to let your employees and your customers and your vendors know exactly what kind of information is required in order to request a bank account change. For example, your policy might be to accept such requests via e-mail, but they’re only acted upon after one of your employees calls the requester at a phone number on file with your business.
Whatever the case, you don’t want to have a culture in your business where such major changes can just be made without contemplation, verification and vigilance.
Finally, you’ll want to foster good security practices in your business. That means teaching your employees not to use the same password for all of their accounts and requiring two-factor authentication for e-mail addresses and wire transfers.
Be smart. It may seem incredible, but there are scores of cybercriminals out there searching for vulnerabilities in even the smallest businesses. Don’t let your company be a target.
Company Alarm is dedicated to helping business owners protect what they have worked so hard to build. Our monitoring software is designed to prevent cybercriminals from exploiting loopholes to hijack your company and assets. To sign up for this low-cost, value-added protection, click here.