Pandemic Profiteering - 'Business Email Compromise' (BEC)

A recent report from Europol titled Pandemic Profiteering, looks at how criminals are exploiting the Covid-19 crisis across Europe.

Criminals are not just targeting vulnerable individuals but also small businesses and even large organisations.

We are all familiar with various spam scam emails telling us we have won a $100,000 prize, send us bank details to claim!!!! However, one of the of the key points identified by the report is that phishing email campaigns during the COVID-19 crisis have been more targeted.

As company employees are in a position where working from home is the new norm, criminals have focused efforts on “business email compromise” (BEC).

Business Email Compromise attacks are spoof emails specifically designed to impersonate company employees with their sole intent to trick actual employees, customers, suppliers, and others into completing actions to the detriment of the business. This could be from downloading malicious links or attachments to transferring money or data.

The FBI identified the 5 main types of BEC scam:

• The Fake Invoice Scheme

Often sent to your customers purporting to be from your business, these emails request that funds for payments are transferred to an account owned by fraudsters rather than your official account.

• CEO Fraud

Attackers pose as the company CEO or senior management and send an email to employees usually in finance, requesting them to transfer money to the account they control.

• Account Compromise

An employee’s email account is hacked and used to request invoice payments to vendors listed in their email contacts. Payments are then sent to fraudulent bank accounts.

• Legal Practitioner Impersonation

Attackers pretend to be legal practitioners in charge of crucial and confidential matters.

• Data Theft

Employees are targeted to obtain personally identifiable information of others. This data can be used for future attacks.

It is suggested that the vast majority of BEC attacks are targeted towards the end of the business day in an effort to put the pressure of time on the receiver of the email in the hope that aspects of due diligence are overlooked.


How to prevent BEC attacks?

• Carefully scrutinise all emails! Regardless of time constraints.

• Be wary of irregular emails that are sent or received from senior managers or executives who would not normally communicate with you. There is no harm in querying the position with your direct line manager. If there are concerns these can be dealt with expeditiously.

• Take extra care when reviewing emails that request transfer of funds, ensure due diligence is completed, know who you are dealing with.

• Verify any changes in vendor payment accounts, make appropriate checks, do not take the email for granted.

• Confirm requests for transfer of funds, use phone verification as part of two-factor authentication. Only use known familiar numbers, NOT the details provided in the email.

• If you suspect that you have been targeted by a BEC attack, follow your internal security protocol and if necessary report to the police immediately.

• Educate and train employees. Employees are a company’s biggest asset and can be the first line of defence against BEC attacks. Commit to training employees according to the company’s security protocol.

Remain alert and aware at all times even more so during times of crisis. As an employee or business owner you already have enough to deal with.

Don’t let criminals take advantage.