Welcome to the Oregon FBI’s Tech Tuesday segment. This week: building a digital defense against new version of the Business Email Compromise Scam.
We’ve talked about this kind of scheme before. The traditional scam starts with Company A, Company B and the fraudster who jumps in between the two. The scammer uses an email address almost identical to the one used by a business executive at Company A as he communicates with a vendor or customer at Company B. The scammer is trying to convince that vendor at Company B to route a payment into the scammer’s personal bank account instead of the Company A account. Usually the businesses have a long-standing relationship, and a request to have a big dollar invoice paid by wire transfer doesn’t raise any flags.
The newer version of the scam that we are talking about today goes one step further. The scammer isn’t just pretending to be the CEO or CFO of Company A — he actually takes over that persona. He has hacked that executive’s email account, and he can get in to read, receive or send emails at will. As an added twist, he can set rules within the email account to automatically forward to himself any email that includes a particular keyword or is from a particular sender. The emails pass through the legitimate executive’s account in a virtual sense — but that executive may never even see them as they get deleted from his inbox immediately.
So what can businesses do? Here are a few options:
* Avoid free web-based email accounts. Establish a company domain name and use it to create formal email addresses for your employees.
* Check the “rules” setting on your account periodically to ensure that no one has set up auto-forwarding for your emails.
* Be careful what you post to social media and your company website,
especially information about who has which specific job duties. Also be cautious about using out-of-office replies that give too much detail about when your executives are out of the mix.
* Require two-factor verification for money transfers, particularly big ones. For example — you could require a telephone call to confirm significant wire transfers. Be sure to set up this protocol early in the business relationship and outside the email environment. When the fraudster hacks your email account, you don’t want him to be able to see how to evade your security protocols.
* When confirming requests, don’t rely on phone numbers or email addresses embedded in the request. Look up the number from an external source when calling.
* Require your employees to use two-factor authentication to access corporate email accounts. They would need two pieces of information to log-in… something they know (such as a password) and something they have (such as a dynamic PIN that changes constantly).
* Train your employees to watch for suspicious requests — such as a change in a vendor’s payment location.
* Train your employees to avoid clicking on links or attachments from unknown senders. Doing so could download malware onto your company’s computers, making you vulnerable to a hack.
If you have been victimized by this scam or any other online scam, contact the FBI. You can file an online report at the FBI’s Internet Crime Complaint Center at www.ic3.gov or call your FBI local office.