Thieves Grab Millions Through Business Email Compromise
Los Angeles Deputy District Attorney warns auto dealers of this growing cyber crime
Today’s cyber criminals have identified the weakest link—and it’s not a flaw in your computer system. It is human beings.
They’ve found that people provide the easiest point of entry into our companies. And they’re using that against us through business email compromise.
Business email compromise (BEC) costs businesses more than $500 million annually in Los Angeles County alone, according to William Pfaff, Deputy District Attorney.
It’s difficult to trace and prosecute making it a low risk crime, Pfaff recently shared with local auto dealers at a Chase Auto event.
BEC is deceptively simple—here’s how it happens
Social engineering is at the core of BEC.
Typically, a criminal will impersonate a key person in the company, such as a general manager or chief financial officer, and send a fraudulent email to an employee with a straightforward request.
The employee, believing the email is legitimate, takes the action requested, most often wiring funds to another account.
“These guys do their research, targeting companies that regularly transfer funds. Then they’ll find the boss and the employee who fit the bill,” says Pfaff. “They’ll wait until the boss is on vacation—using social media for clues—and send the message.”
The employee typically doesn’t want to question the directive, so they’ll comply. And within minutes the funds are lost.
Tips to prevent BEC
Pfaff recommends four easy ways to ward off BEC:
1) Be careful with your own internet footprint and encourage your employees to think about what they’re sharing online about their roles at work and their personal lives.
2) Be sure your team knows to be wary of emails with instructions to do something—especially if the instructions come from someone senior who they don’t typically hear from.
3) Use a multi-factor authentication approach and implement a process with your employees that requires a voice confirmation before funds are transferred. A simple phone call goes a long way toward adding security.
4) If your business is victimized, contact your bank and local law enforcement immediately. It will increase the likelihood of recovering funds and of a successful investigation and prosecution.