By Drew M. Smith
June 2015. Volume 1 Article 7
Cyber deception has become a hot topic in recent months. Coming off of a wave of high-profile data breeches many people are concerned about their company being hacked or people compromising their companies’ accounts or personally identifiable information.
Now there is a new issue that is spreading through multiple companies. These compromises go after those that handle the money and fraudulently send them e-mails to get their wire numbers and other information. This is called the Business E-mail Compromise.
The statistics are daunting. According to the FBI, since October 2013, over 2,000 victims of e-mail fraud have been reported with damages in excess of $215 Million. Many of these losses come about in two distinct and damaging ways.
The first is called the CEO Fraud or Business Executive Scam. The hacker creates a spoof e-mail address that looks similar to the accounts used by the CEO’s and executives of the company. They then send it to those in charge of the money and then just wait for the response. This is one of the many ways that unsuspecting employees can damage the company’s reputation.
The other scam can affect more than just the business that gets breached; it can affect business partnerships as well. In businesses, companies have contracts with specific vendors for goods and business. These vendors have spent years cultivating relationships with their clients and, in some cases, the owners know each other personally. A hacker can then take advantage of this and use a similar tactic to the CEO fraud. They can use a phony e-mail and as a result make the receiver believe it was the client or the vendor depending on who got the e-mail. This not only ruins the reputation of the company but potentially the partnership between the two parties. This is called the Bogus Invoice Scheme or the Supplier Swindle.1
There are many steps to prevent this and it boils down to be reliably informed. Your employees should know the e-mails of everyone and be extremely cautious of e-mails requesting money. You should also adjust the servers to filter out these e-mails. Finally guard the passwords to your e-mails carefully and change them regularly. These measures are among the many you should take to prevent a catastrophic breach in your company’s infrastructure.
1http://blogs.orrick.com/securities-litigation/2015/03/06/fbi-warns-against-fraudulent-e-mail-scheme/