David Vandenberg, Chair of the NAFA Transactional Integrity Working Group, discusses cybercrime and Business Email Compromise (BEC).
Be careful not to fall victim.
Fraud involving wire transfers is frightening and possibly more common than you think. Business email compromise (BEC) is the common name for this type of cybercrime, which is exceedingly difficult to halt with technical measures and frequently impossible to undo should an attacker successfully fool a target into sending money.
Employee and customer vigilance is essential for stopping these attacks. The following three details will outline the magnitude of the issue and assist you in avoiding becoming a target of these attacks.
Fact #1: Since 2013, There Have Been Massive Financial Losses.
Since October 2013, BEC, also known as email fraud and email account compromise (EAC), is being monitored both domestically and internationally by the U.S. Federal Bureau of Investigation (FBI). The following current fraudulent wire transfer patterns are concerning:
• Tens of thousands of complaints are made concerning BEC fraud each year, with billions of dollars in losses as a result.
• More than 150 nations and all 50 states in the United States have received reports of BEC frauds.
• Consumers may also be impacted by these attacks, which don't just target businesses and organizations. Examples include BEC schemes that target all parties involved in a real estate transaction, including buyers, sellers, and agents, according to the FBI.
Furthermore, it's critical to understand that BEC attacks involve more than just wire fraud. In order to commit tax fraud and other crimes, for instance, cybercriminals exploit illicitly obtained tax information (such as W-2 statements of American workers). In a different kind of BEC fraud, fraudster impersonate employees in an effort to deceive payroll offices and payroll service providers into diverting direct deposits so they can steal workers' wages.
In conclusion, BEC attacks are pervasive and have an impact on both individuals and enterprises. And while though billions of dollars in damages are now estimated annually, the actual amounts are probably higher because BEC attacks sometimes go unreported. Don't fall into the trap of believing it won't happen to you; cybercriminals target consumers as well as employees and search up, down, and across org charts to discover their targets.
Fact #2: BEC Attacks Use the Comfortable to Trick You into Making Poor Choices.
Since BEC attacks are designed in such a way, technical tools are frequently ineffectual against them. Typically, emails don't contain malicious links or attachments, two characteristics of phishing attacks that email monitoring technologies can spot and reject.
BEC attacks, in contrast, make an effort to "glide under the radar," using well-known identities and details to pass for secure, authorized communications. Attackers may use social media and other public information sources to learn more about their targets. They may also establish rapport across several contacts—by phone and email—to make the target think they are speaking with a reliable person. The attacker won't request a wire transfer (or data) until they are certain the target is at ease enough to comply.
Attackers may occasionally use the "spoofing" technique to make messages appear to have originated from a well-known source; in these cases, the sender address resembles a contact you can trust (though a hover over that address will reveal something different). In some situations, fraudsters are able to obtain email login information and send messages from a valid account, making it very challenging for an email receiver to recognise a fraudulent request.
Conclusion: Nothing should be taken at face value when it comes to a wire transfer or payment request (or an email requesting sensitive personal data). Any solicitation of this kind should be viewed critically, especially if the requestor asks for an exception to previously established banking procedures or account information.
Fact #3: You Have the Ability to Thwart BEC Attacks.
To preventing various forms of fraud and safeguarding personal and company data, cybersecurity awareness and a knowledge of email best practices are essential. When it comes to BEC attacks, a few comparatively easy steps can make all the difference:
• Set up a confidential, "need to know" procedure for people to get face-to-face or voice-to-voice confirmation that the request is legitimate if you frequently ask for wire transfers or tax-related information. Make sure to share that procedure with others outside of email, through a reliable method.
• If you frequently process payments or data,
you need to safeguard your organization’s finances and data as well as your reputation. Acting on a request requires both confirmation of the request and authorization to carry it out. This is especially important if you're under pressure to respond quickly or disobey established protocol. Ask your supervisor to implement non-email-based approvals for these types of requests if there aren't any procedures in place to help avoid fraudulent transfers.
• If you routinely approve fund or data transfers, make sure that you are not the only person who can give approval. Working with additional stakeholders to make sure that your process does not have a single point of failure can help you ensure that approvals take place through a channel (or channels) other than email. Never jeopardize the approval chain by permitting transfers to occur outside of the approved protocol. Be ready to be contacted by phone or in-person meetings for approvals.
Conclusion: Parties in the “chain of command” for either funding aircraft transactions or the supporting data need to be aware that email fraud is prevalent and there are steps you can take to ensure the prevention of fraud. It is vital that people are aware of the risks and safety precautions. Remember that you could suffer a BEC attack in your personal life even if you don't frequently engage in these activities at work. Any request for a wire transfer or data transfer should be carefully examined before you act on it, regardless of when it occurs or where it appears to originate from. It is possible for a fraudulent email to appear legitimate. Therefore, putting in place a secondary (non-email) based means of confirmation for events like aircraft closing wire instructions should be considered as a standard (best) practice.
This article was originally published on February 15, 2023.