Most (if not all) business transactions are now conducted using digital technology and electronic communications, and, as a result, are subject to a host of cyber threats.
The prevalence and cost of business email compromise (BEC) schemes demonstrate that digital technology and electronic communications put funds transfers at risk.
Organizations must implement controls in order to recognize and prevent BEC scams and safeguard their fund transactions.
What is the BEC threat?
A BEC is a scam targeting businesses and individuals performing wire transfer payments. The email account compromise (EAC) part of BEC targets individuals who perform wire transfer payments.
Although their intent might seem obvious, BEC scams actually work. In 2018, the FBI’s Internet Crime Complaint Center (IC3) received 20,373 BEC/EAC complaints with adjusted losses of over $1.2 billion.
Put into context, those figures represent a 29% increase in the number of complaints and a 77% increase in adjusted losses compared to the IC3’s 2017 numbers. In 2018, BEC was the computer crime with the highest reported loss, according to the IC3.
According to the U.S. Secret Service, BEC scams target financial institutions, real estate companies, health care firms, human resources organizations, educational institutions and large-scale construction and contracting firms.
The BEC scam is just another confidence game where the bad actors convince humans to click on bad links or attachments, enabling the bad actor to install malware on the company’s computer system, or mistakenly believe that the sender of an email attaching wiring instructions or seeking information is making a legitimate, authorized request.
The BEC scam is often carried out when a subject compromises legitimate business email accounts through malware (computer intrusion techniques), spoofing email addresses or social engineering. The result is an unauthorized transfer of funds.
These schemes constantly evolve, and have taken a variety of forms:
- Hacking or spoofing of email accounts of CEOs and CFOs
- Compromise of personal emails and vendor emails
- Spoofed law firm email accounts, a favorite in real estate transactions)
- Requests for W-2 information
In each such evolution, the scammers seek to use authority (an email that looks legitimate), and urgency (e.g., “we need this immediately”) to effectuate fraudulent transfers.
Addressing the BEC threat
Note that the BEC scam targets the vulnerabilities of both companies (networks susceptible to malware, lack of established processes for wire transfers) and individuals (willingness to click on attachments and links from unknown senders, inability to detect spoofed emails or other signs of these scams).
Businesses can take several steps to address the threats presented by a BEC scam:
- Implementing encrypted/secure email communications. Traditional email communications can be compromised in a variety of ways: email addresses can be spoofed, communications can be monitored and wiring instructions can be viewed and altered. Consider encrypting email transmissions (via secure portal or otherwise) when wire or other fund transfers are involved, or in any instance where NPI or other sensitive information is shared via email.
- Adopting written funds transfer security procedures. Clarify how funds transfers will take place. Specify a procedure to verify a change in payment type or location, and require that verification to be “out-of-band” — by phone call or with an in-person confirmation that does not take place via email. Consider a callback verification procedure, an agreed-upon code phrase or a specific dual-control system where another person must confirm a transaction change. Do not share security procedures electronically, except via encrypted communications as described above. Conduct daily payment activity reviews.
- Training appropriate personnel. Conduct training for anyone who handles or oversees electronic funds transfers.
- Installing and maintaining appropriate technology. Patch and update computer systems, and install and update anti-malware protection.
General concepts for protecting payment information
Beyond specific procedures to address new and evolving threats, several broad principles can help organizations improve their security posture and protect payment information:
- Implementing Access Controls. One potential threat to the security of payment information arises not from outside hackers, but from inside the organization. Access controls ensure the principle of least privilege — meaning an employee has only access to that information necessary for her to perform her job. Giving all employees access to payment information outside of their normal job functions can create a potential cybersecurity event.
- Evaluating Relationships with Vendors. Exercise due diligence in selecting any third-party service provider that will have access to payment information, and require any third-party service provider to implement measures to secure information systems and payment information. Written agreements between organizations and third-party service providers are necessary to set out obligations and remedies.
- Protecting Payment Information When Stored and Shared. Consider encryption when communicating over an external network. Does payment information travel outside the business while stored on a laptop computer or other portable computing or storage device or media? If so, then consider encryption or other protection mechanism for that payment information. Likewise, if employees work remotely and have access to payment information, secure those remote connections into the organization’s network.
Security is an ongoing process
The pace of change in computer technology and communications can be bewildering. However, identifying and understanding the risks involved in protecting payment information, as well as the tools available to organizations to address those risks, help make this ever-evolving process more manageable.
Our Privacy, Cybersecurity and Data Management Team will continue to share the latest developments and provide insights as we continue to monitor the ever-changing, ever-shifting legal landscape on this issue.