617.315.8515
$33 Million and Counting in New England Email Scam
The Problem:
BEC’s “Business Email Compromise” scams are on an increase. What makes these attacks different is the method. The attacker sends a normal email unlike other types of attacks. These emails are typically either manually written for a specific individual or set to select a very small target audience.
These emails will not be detected as Spam or a virus since they do not fit the specifications of either. Emails are sent from someone known to the recipient and typically of importance to the company. The sender will often start a correspondence with the recipient under the guise of someone else in the organization. This technique has been called “Cat Fishing” in urban dictionary terms.
At some point fairly early on the sender will ask the recipient to send money either via wire, money gram, bitcoin or other means that is difficult to track. According to the FBI “Common recipients of these e-mails are real estate agents, title companies, and attorneys in the midst of real estate transactions, bookkeepers, accountants, controllers and chief financial officers”.
The Damage:
According to an FBI article dated December 20th 2016 approximately $33 Million in funds have been transferred to these entities so far. The FBI has only been able to return $13 Million of these assets to date. It’s actually surprising they can get any of it.
So what can companies do after they have been compromised?
FBI Boston based unit has several steps listed in their article. Here are some of the initial steps to take right away. Visit their site here for more info
Contact your financial institution immediately and request that they issue a “SWIFT recall.”
File a complaint regardless of whether there is a dollar loss with IC3. Experience has shown that funds only remain in the initial beneficiary account for a few days before they are withdrawn or transferred to another account. This is not always the case and the FBI may be able to pursue a criminal prosecution.
How to Protect Yourself:
Most of the time the most basic procedures can protect you. First is preparation and systems in place beforehand.
Setup a second form of authentication
Never give an individual who is not an owner the ability to write checks or transfer funds without a second authority to approve.
Check the from address
When you receive an email, check the full email address not just the sender’s name. Email in itself is a very insecure method of communication. It is very easy to “spoof” others’ email addresses. Simply replying to the email for verification is not enough anymore. The reply address will go to the original sender.
Forward the email to sender
Instead of hitting reply try forwarding the email to the sender. When you forward an email it uses your cashed email address for that person instead of the bogus reply address in the original message.
Verify other means
Contact the sender via phone call or text message and verify that they have asked you to transfer funds to their account. This simple method can ensure you have a direct line of communication to the actual sender.
Google search
If you received a scam email, typically you’re not the first one to receive it. A simple Google search of key words in the message will usually yield a result of others who have received it as well.
Controlled testing
You can test your team’s ability to detect phishing emails by sending test emails to them. Simply send them emails designed to gain there trust or ask them to do something that is out of the ordinary and see if they respond. Setup a policy beforehand telling the team what to do when they have a suspicious email. Then send out sporadic test messages to various employees and see if they follow the procedures.
If you would like to discuss this in more detail, please contact anyone at our staff to help you.
Kenny Rounds
CEO
Braver Technology Solutions LLC
