Wiring money internationally to clients, suppliers, and/or consultants
may be a risky task for some businesses. The Financial Crimes Enforcement
Network (“FinCEN”) reported recently that, despite its efforts, business email
compromise (“BEC”) from internet criminals and hackers has continued to climb
over recent years (here).
Since 2016 FinCEN has received over 32,000 reports of attempted BEC threatening
over $9 billion in personal and business assets. Given the potential danger for
BEC at your company, here are some suggestions to try to minimize risks when
you are contacted by someone trying to obtain information from you
In general, BEC may appear as a three-step process. First, the impersonator unlawfully hacks or gains access to an email account and reads past emails to obtain financial information from the victim company. Second, the impersonator will use this information to send fraudulent bank transfer instructions to the victim’s banking personnel. For this step, the impersonator typically either uses the victim’s email account directly or creates another email address that is nearly identical to the victim’s (e.g. using firstname.lastname@example.org when the real CEO’s email address is email@example.com ). Finally, when an employee or bank staff member executes the money transfer as instructed by the impersonator/hacker, the scheme is complete and, if undetected, may be used again in the future. According to FinCEN’s reports, exercise caution when wiring money to banks in Asia (especially China or Hong Kong), as these are common destinations for questionable (up to fraudulent) transfers.
Sectors most commonly targeted by BEC are manufacturing and
construction, commercial services, and real estate. In most cases, C-Suite and
other high-level managers are most at risk of having their email compromised or
being impersonated, while accounting or finance staff are most at risk to receive
communication from an impersonator/hackers.
In addition to alerting your staff, here are some other
steps you can take to get ahead of BEC:
- Blacklist commonly used passwords. Contrary to
common belief, the National Institute of Standards and Technology finds that
this is more effective than password composition or expiration policies (check here for more information);
- Be wary of writing about company or financial
information in emails, on your company’s website, or on any other webpage that
may not be secure;
- Consider two-step verification processes to
confirm wire transfers or changes to vendor payment location directly via phone;
- Create or purchase computer intrusion software
that flags potentially fraudulent emails;
- Purchase and maintain all internet domains that
are similar to but slightly different than your company’s domain; and
- Make your employees aware of BEC and train them
to scrutinize wire transfer requests.