How HOAs and Management Companies Can Avoid Being Exploited by a Business Email Compromise Scam
Getting called into the CEO’s office can be nerve-wracking. What’s even scarier is getting an email from your CEO that’s actually coming from someone else posing as him or her. That’s what sophisticated scammers are doing at an alarming—and growing—rate in a newer type of cybercrime called business email compromise (BEC).
The FBI considers BEC, which the agency defines as a scam targeting businesses working with foreign suppliers and/or businesses regularly performing wire transfer payments, a serious threat. And they should. In 2018 alone, BEC was responsible for $1.2 billion in adjusted losses.
Here’s how it works. The cybercriminals compromise a business’s email system through social engineering (psychologically manipulating people to give out confidential info) or computer intrusion techniques. Once they’ve gained access to your network and email system through malware and spear-phishing (targeted) attacks, they might spend days or even months becoming familiar with your company’s billing system and vendors with the end goal of conducting an unauthorized transfer of funds.
But here’s where they really up their game: They also learn who specifically is making the payments, and they study the CEO and CFO’s travel schedule and email style. That’s so, once they’re ready to make their move, they can impersonate that person to authorize a payment.
Protect Your Payment System
There are a variety of best practices to thwart BEC, but one of the simplest is to talk face-to-face or to pick up the phone to confirm the request. Yes, email is simpler and faster, but if there’s ever a question about a transaction, don’t rely on email alone.
As with any cybercrime, raising awareness and providing employee education are essential first steps. Here are a few safeguards to share with your staff:
- Confirm changes. Whether it’s initiating a payment, transferring funds or updating vendor information, policies that require two-factor authentication or a secondary sign-off by another employee can provide extra protection and prompt a double-check of each change request.
- Flag the unfamiliar. You can use email rules and intrusion detection system rules to flag emails that don’t have quite the right extension or construction. For example, if your company uses firstname.lastname@example.org, set up a flag for email@example.com or firstname.lastname@example.org. You also can flag incoming emails that have a different “from” and “reply to” address.
- Identify internal and external. Color code virtual correspondence so e-mails from employee/internal accounts are one color and e-mails from non-employee/external accounts are another in employees’ inboxes.
If You’ve Been Compromised
First, recognize that these are sophisticated scammers, and they are having a lot of success against a lot of companies. In fact, the Association for Financial Professionals, which has been tracking BEC for the past few years, reports:
- Approximately 80% of companies have been impacted, up from 64% in 2015.
- There’s been a 136% increase in identified global exposed dollar losses.
- BEC has been reported in all 50 states and in 150 countries.
If your company has been a victim of BEC, act quickly. The first step is to contact the originating financial institution to request a recall or reversal as well as a Hold Harmless Letter or Letter of Indemnity. Next, contact the FBI’s Internet Crime Complaint Center and file a complaint.
Download Alliance Association Bank's Fraud Protection Checklist to avoid BEC Scams.