Beware of: Business E-Mail Compromise (BEC)

The following blog post is not about IP per se, however, it does address an alarming fraud scheme that organizations, brands, and IP support professionals need to to have an understanding and awareness of:

It’s called: Business E-Mail Compromise (BEC).

ALARMING TREND

There is an alarming scam-assault on businesses taking place in the U.S. and in Western Europe in which BEC is the weapon-of-choice.

And it demands the attention of management.

RECENT NOTABLE REPORTS

In June of this year, the U.S. Justice Department completed a six-month BEC investigation that resulted in the arrest of 74 individuals all over the U.S. and several other countries including Nigeria, Canada, Mauritius, and Poland, respectively.

“BEC…is a sophisticated scam that often targets employees with access to company finances and tricks them–using a variety of methods like social engineering and computer intrusions–into making wire transfers to bank account thought to belong to trusted partners but instead belong to accounts controlled by the criminals themselves.

And this month it was reported that a UK security group discovered a list of 50,000 executives that were targeted by BEC fraudsters.

“Moreover, The BEC attack emails…typically contain no malware; the group instead sends fraudulent payment requests to finance teams. As a result, the emails are difficult to detect by the range of counter-measures firms typically employ to block harmful material.

“In our analysis…we identified the working methods of a group that has taken the basic techniques of spear-phishing – using specific knowledge about a target’s relationships to send a fraudulent email – and turned it into massive BEC campaigns.

“Each attack email requesting a money transfer is customized to appear to be an order from a senior executive of the company.”

WHAT MAKES THIS ALARMING?

What makes this particularly alarming is that computer-protection technology cannot pick up on this type of fraud since it does not include malware.

It is essentially a person-to-person phishing campaign and flies under the malware-protection radar.

WHAT MUST THE FRAUDSTER DO TO BE EFFECTIVE?

The perpetual fundamentals of Nigerian-branded fraud schemes are simple: Impersonation.

In this scheme, the fraudster convinces you or your finance person that he/she is a senior representative of your company, (CEO, CFO, COO, etc.)

The fraud relies on human complacency, not technological proficiency.

HOW DOES IT WORK?

As explained above, although technologically unsophisticated, it’s still very effective.

The basic BEC modus operandi is:

• Target finance employees
• Impersonate a senior organization employee who directs the transfer of funds to a designated (fraudster) bank account

FRAUDSTER CREATIVITY

It never ceases to amaze me at the creativity of Nigerian-branded frauds.

I myself have investigated multi-million dollar Nigerian-branded fraud schemes (i.e., advanced fee, romance, black ink, etc.), and the talent and creativity of Nigerian-branded fraudsters are not to be underestimated.

They are absolute experts in the criminal art of psychological persuasion and impersonation.

And having discovered this new fraudulent scheme, the fraudsters will rake-in millions-and-millions until business awareness is raised enough to have a countering effect.

PREVENTION

This trend demands 3-fundamental actions of management:

• Train (re-train) employees in email-communications discipline
• Develop a communications protocol that requires employees to go through a step-by-step vetting of the sender before wire transfers are made
• Institute an internal testing process that ensures employee compliance

FINAL THOUGHT

As the FBI reminds us, “BEC schemes continue to evolve as criminals come up with new and inventive ways to scam businesses.”

Disclaimer: IPPIBlog.com is offered as a service to the professional IP community. While every effort has been made to check information in this blog, we provide no guarantees or warranties, express or implied, with regard to content provided in IPPIBlog.com. We disclaim any and all liability and responsibility for the qualification or accuracy of representations made by the contributors or for any disputes that may arise. It is the responsibility of the readers to independently investigate and verify the credentials of such person and the accuracy and validity of the information provided by them. This blog is provided for general information purposes only and is not intended to provide legal or other professional advice.