Want Secure Email? Your Employees Are The Key.
Security education in the workplace is more important than ever before, as business email compromise (BEC) and email account compromise (EAC) threats are increasing. A recent advisory issued from the Financial Crimes Enforcement Network (FinCEN) outlines the growing risks associated with these specific cybersecurity threats, both of which aim to gain access to the victim’s email accounts. Despite this advisory being focused on financial institutions, organizations across industries should pay heed.
In the last 6 years, there have been an estimated 22,000 cases of BEC and EAC fraud reported. These cases account for a total of $3.1 billion. This is a significant amount of fraud that is being reported, and these stats don’t even begin to touch on the unreported cases of BEC and EAC.
The advisory issued by FinCEN outlines the three stages involved with this form of fraud…
Compromised Email Accounts
The first step in this fraudulent process is typically the compromising of email accounts, which occurs as the result of either social engineering processes or compromised servers. After access is achieved, cyber criminals hunt for any information that is related to financial institutions, including accounts, contacts, vendors, etc.
The Transmission of Fraudulent Transaction Instructions
The information gained by malicious actors in the first stage allows them to easily masquerade as the victim. By doing so, the criminal can make transactions from either the victim’s actual email account or a dummy account that is created in order to appear like a legitimate account.
The Execution of Unauthorized Transactions
The information gained also allows these cyber criminals to take the additional steps of making account transfers or other payments seem as though they are genuine. In order to make it extremely difficult to track these transactions, the malicious actors typically ensure that the payments pass through a series of accounts.
The report from FinCEN also provides a list of red flags to keep an eye out for when identifying BEC and EAC fraud. These red flags should be explained to all employees in order to ensure that fraud is detected before it becomes a massive issue.
- When a customer verifies transaction instructions and then follows up with an email that provides different instructions or inaccurate amounts and language.
- When instructions for a transaction are provided by an email account that appears related to a customer’s email account but is slightly different.
- When a customer provides information about a fraudulent account, and this fraudulent account is sent as the desired destination for a new transaction.
- When a transaction request arrives and features questionable language (i.e. secret, urgent, confidential, etc)
- When transaction instructions are introduced from an employee that has just recently been authorized on the customer’s account and has yet to send you instructions for a wire transfer.
- When transaction instructions suggest that a payment should be made to a beneficiary who has no previous business relationship with the customer, and the amount requested is similar to previous payments with that customer.
These red flags are very important to be on the lookout for, as both BEC and EAC fraud have experienced growth recently. All employees should be coached on what to look for, as well as the specific risks involved with this form of fraud. When employees are conscious of social engineering tactics and various other methods used to access email accounts and solicit financial transactions, they are better prepared to handle the threat.
If you’d like to explore BEC and EAC fraud in more detail, as well as additional red flags and ways to educate your team, contact us via the form below: