BEC_Business_E-Mail_Compromise_EN

BUSINESS EMAIL COMPROMISE

Business Email Compromise (BEC) is also known as email account compromise, man-in the-email attack. Not only is this type of fraud one of the most financially damaging online crimes, but it is also costlier than other fraud attacks combined. It is becoming more targeted, there are fewer victims, but the losses are greater.

In BEC Scam, criminals send an email message that appears to come from a known source making a legitimate request whilst it is an illegitimate one. Anyone can be targeted in a BEC scam, although, high-level executives such as the c-level officers and people working in the finance department are the most likely target.

                        HOW DO CRIMINALS CARRY OUT THESE SCAMS?

Criminals carry out these scams by doing the following:

  • Spoofing an email account or website by making slight variations on legitimate addresses e.g.rablowoods.com and rabIowoods.com
    • In the first address, the fourth letter is small letter L, while the second address, the fourth letter is capital letter i.
  • Sending spear phishing email, that is, sending messages that look like they are from a trusted source
  • Using a Malware
How to Spot & Protect Against Business Email Compromise (BEC) Attacks -  Hashed Out by The SSL Store™

BEC are successful for three main reasons.

  1. Insufficient security protocols
  2. Social Engineering: It is a technique used in tricking people to divulge private and sensitive information.
  3. Lack of employee awareness

                                                HOW TO PROTECT YOURSELF

  • Information shared online such as nicknames, birthdays, schools attended, family links etc. should be limited
  • Do not click on anything in an unsolicited email that requires you to verify account
  • Assume that unencrypted emails are unsecure
  • Do not use email to communicate financial information or wire instructions
  • Separate wiring instructions from the details about the amount to be wired or descriptions of the transactions.
  • Be careful what you download
  • Do not open an email attachment from someone you do not know
  • Email address, spelling and URL used in any correspondence should be carefully examined
  • Two-factor or multi-factor authentication should be set up on any and every account that allows it and never disable it
  • If possible, very payment and purchase requests in person. If it is not, call the person to ensure it is legitimate
  • If there are changes in the account details or payment procedures, verify those changes with the person making the request
  • If one is being asked to act fast when it comes to payment, be wary of such.

                              WHAT TO DO IF FUNDS GET HIJACKED

If one falls victim to Business Email Compromise, below are the things that should be done.

  1. Contact the IT department and Cybersecurity insurer immediately to report the incident.
  2. Cybersecurity insurer is an insurance company that covers a company’s liability once a data breach occurs.
  3. Contact the originating bank to request a recall or reversal.
  4. File a detailed business email compromise complaint with the law enforcement agency responsible for this, in our case, the Economic & Financial Crimes Commission (EFCC)
  5. Secure Email Gateway is an example of an email security solution that can be used.

Written by: Oreoluwa Adegoke, CFE

Comments are closed.