A new breed of BEC scams costing companies money.
Up till recently email scams were pretty easy to identify. Common email scams were emails alerting the recipient of a massive windfall in an international lottery or even a politely penned request from fancy diplomat in Nigeria.
Of late, advisory firms have been tracking a new form of email scam (referred to as business email compromise or BEC), which is far more sophisticated and more difficult to determine. Most troubling is the fact that many of these scam emails can appear genuine at first glance, making it a massive issue for businesses who receive a high volume of requests for funds transfers.
Scams can be so advanced and professional that they may include documentation to support the request including CEO's signatures and company seals.
In the USA between late 2013 and mid-2015, over $74 million USD worth of scams were recorded. With detection becoming more and more difficult, company accountants and finance teams need to sharpen their detective skills to ensure all requests are genuine.
Global business is on the increase and contact information is easily accessible for crafty cyber criminals looking for an easy target. International funds transfers are common and companies have to mine through professional scams and develop intelligent cyber crime deterrents to avoid scams and fraudulent invoices.
The following tips to businesses to avoid being victimised by BEC scams were provided by the IC3 and professional advisers:
• Verify any emailed changes to vendor payment details by a two-factor authentication, such as phoning the person making the request, and having a second person sign off.
• Where phone verification is part of two-factor authentication, use a previously known number, not the number provided in the email request.
• Be wary of relying on free, web-based email accounts, which are more susceptible to being hacked.
• Be careful when posting financial and personnel information to social media and company websites.
• For wire transfer payments, be suspicious of requests for secrecy or pressure to take action quickly. If in doubt, allow time to check the legitimacy of the request, no matter how urgent it might seem, even if it delays payment until next day.
• Create IT system rules that flag or quarantine emails with extensions that are similar to company emails, but not exactly the same for example with “.co” instead of “.com”.
• If possible, register all Internet domains that are slightly different to your actual company domain.
Source: FBI, Deloitte, PwC
For more information visit the original article here