Illustration of an opened email with a hacker inside of...
Category: Fraud Prevention

Guarding Your Inbox from Business Email Compromise

Understand the scam and learn how to help prevent it from happening to you or your business.

By Brandon Arnold |

In today’s digital landscape, businesses are increasingly vulnerable to cyberattacks.

One of the most damaging threats is business email compromise (BEC). This sophisticated attack method exploits trusted communication channels to deceive businesses into transferring sensitive information (or sometimes money) to cybercriminals.

These cybercriminals impersonate a legitimate business contact – like an employee, executive, or a known vendor – to trick employees into sending money or divulging sensitive data. In some cases, they even gain access to use an employee’s email address.

To do this, an attacker needs to gather information about who they want to impersonate. They can do this in several ways.

    1. Basic Research – Attackers scour the internet for information about the target including associated third parties and employees. All the information they find can be found on publicly accessed sites, including the company’s website, news articles and social media sites.
    2. Social Engineering – With information gathered from the research about employees from social media, projects and relationships from news articles, and companies from their own website, attackers can then exploit human trust and behaviors to gain access to data, information or systems.

 

Once the cybercriminals have gained some basic knowledge about you and the company, they may use one or more of the following common attack methods to set up a BEC attack.

    1. Phishing – Using an email to deceptively gain information or access.
    2. Smishing – Similar to phishing but through text messages.
    3. Vishing – Similar to smishing and phishing but through phone calls.
    4. Email or Domain Spoofing – Attackers may use lookalike emails or domains to attempt to “authenticate” their identity.

 

Now that the cybercriminal has enough information to execute an impersonation, they may move forward with their biggest attack yet – business email compromise.

3 Common BEC  Attacks

    1. Fraudsters use access to accounts within a vendor to monitor for an opportunity to “jump in” to the middle of the conversation to execute the attack. They’ll suddenly request a change and redirect emails to an external account. In some cases, they may request additional changes (new services, more users to the profile, etc). These “nesting” attacks are effective because the email originates from a legitimate account, using the same email thread and the same signatures – it’s just that the attacker now controls the email account.
    2. Asking for an account update because “something has changed.” This could be things like a new account number for payments, a change to the payment method, or contact information.
    3. Impersonating a person of authority to request something they are unable to do due to “certain circumstances.” For example, a manager is facing an emergency and is unable to access their work computer/email to request a payment process or change so it’s requested through their “personal email.”

Man typing on a laptop with cell phone on table.

3 Tips to Prevent Becoming a Victim

    1. For sudden changes or suspicious requests – especially changes to payment accounts, users or contacts – validate that the request is real by contacting the requestor on a verified phone number. Do not call the number in the email or reply to the e-mail as you’ll likely be contacting the attacker.

      Remember:Three icons with stop, call and confirm.

    2. Be mindful of the information you share online.
    3. Consider the use of dual controls for transactions – an example is the “maker/checker” process where one individual initiates a request and then another reviews and approves.

 

“If something doesn’t look right, trust your gut,” says Jeff Taylor, Head of Commercial Fraud Forensics for Regions Bank. “Before you fall victim, implement an internal control to confirm all payment requests or changes to an existing payment.”

 

 

 

The information presented is general in nature and should not be considered, legal, accounting or tax advice. Regions reminds its customers that they should be vigilant about fraud and security and that they are responsible for taking action to protect their computer systems. Fraud prevention requires a continuous review of your policies and practices, as the threat evolves daily. There is no guarantee that all fraudulent transactions will be prevented or that related financial losses will not occur. Visit regions.com/STOPFRAUD or speak with your Banker for further information on how you can help prevent fraud.
All fraudulent transactions will be prevented or that related financial losses will not occur. Visit regions.com/STOPFRAUD or speak with your Banker for further information on how you can help prevent fraud.

Trending Articles

Related Articles