We have previously covered how most (if not all) business transactions are now conducted using digital technology and electronic communications. As technology continues to take hold of business transactions, businesses are increasingly subject to a host of cyber threats.
The increasing prevalence and cost of business email compromise (BEC) schemes demonstrate that digital technology and electronic communications put funds transfers at risk.
Now, more than ever, organizations must implement controls in order to recognize and prevent BEC scams and safeguard their fund transactions.
What is the BEC threat?
A BEC scam targets businesses and individuals performing wire transfer payments. The email account compromise (EAC) part of BEC targets individuals who perform wire transfer payments.
As described in its 2019 Internet Crime Report issued recently, in 2019 the FBI’s Internet Crime Complaint Center (IC3) received 23,775 BEC/EAC complaints with adjusted losses of more than $1.7 billion.
BEC/EAC complaints accounted for roughly half of the total losses ($3.5 billion) from internet crimes.
According to the U.S. Secret Service, BEC scams target financial institutions, real estate companies, health care firms, human resources organizations, educational institutions and large-scale construction and contracting firms.
The BEC scam is just another confidence game in which bad actors convince employees to click on bad links or attachments, enabling the bad actor to install malware on the company’s computer system. These schemes often lead the employee to mistakenly believe that the sender of an email attaching wiring instructions or seeking information is making a legitimate, authorized request.
The BEC scam is often carried out when a subject compromises legitimate business email accounts through malware (computer intrusion techniques), spoofing email addresses or social engineering. The result is an unauthorized transfer of funds.
These schemes constantly evolve and have taken a variety of forms:
- Hacking or spoofing email accounts of CEOs and CFOs
- Compromising personal emails and vendor emails
- Spoofing law firm email accounts (a favorite in real estate transactions)
- Requesting W-2 information
- Targeting the real estate sector
- Making fraudulent requests for large amounts of gift cards
In each such evolution, the scammers seek to use authority (an email that looks legitimate), and urgency, e.g., “we need this immediately,” to effectuate fraudulent transfers.
Addressing the BEC threat
Organizations can take several steps to address the threats presented by a BEC scam:
1) Implement encrypted/secure email communications. Traditional email communications can be compromised in a variety of ways: email addresses can be spoofed, communications can be monitored and wiring instructions can be viewed and altered.
Consider encrypting email transmissions (via secure portal or otherwise) when wire or other fund transfers are involved, or in any instance where NPI or other sensitive information is shared via email.
2) Adopt and enforce written funds transfer security procedures. Clarify how funds transfers will take place. Specify a procedure to verify a change in payment type or location, and require that verification to be “out-of-band” — by phone call or with an in-person confirmation that does not take place via email.
Consider a callback verification procedure, an agreed-upon code phrase or a specific dual-control system where another person must confirm a transaction change.
Do not share security procedures electronically, except via encrypted communications as described above. Conduct daily payment activity reviews.
3) Train appropriate personnel. Conduct training for anyone who handles or oversees electronic funds transfers.
4) Install and maintain appropriate technology. Patch and update computer systems, and install and update anti-malware protection.
General concepts for protecting payment information
Beyond specific procedures to address new and evolving threats, several broad principles can help organizations improve their security posture and protect payment information:
1) Implement Access Controls. One potential threat to the security of payment information arises not from outside hackers, but from inside the organization. Access controls ensure the principle of least privilege — meaning an employee has only access to that information necessary for her to perform her job.
Giving all employees access to payment information outside of their normal job functions can create a potential cybersecurity event.
2) Evaluate Relationships with Vendors. Exercise due diligence in selecting any third-party service provider that will have access to payment information, and require any third-party service provider to implement measures to secure information systems and payment information. Written agreements between organizations and third-party service providers are necessary to set out obligations and remedies.
3) Protect Payment Information When Stored and Shared. Consider encryption when communicating over an external network. Does payment information travel outside the business while stored on a laptop computer or other portable computing or storage device or media?
If so, then consider encryption or another protection mechanism for that payment information. Likewise, if employees work remotely and have access to payment information, secure those remote connections into the organization’s network.
Security is an ongoing process
The pace of change in computer technology and communications can be bewildering. However, identifying and understanding the risks involved in protecting payment information, as well as the tools available to organizations to address those risks, help make this ever-evolving process more manageable.
Our Privacy, Cybersecurity and Data Management will continue to share the latest developments and provide insights as we continue to monitor the ever-changing, ever-shifting legal landscape on this issue.