Business email compromise (BEC) is the fastest growing type of social engineering fraud – a broad category of scams in which perpetrators impersonate a trusted party to manipulate their victims into giving away either funds or valuable information willingly. This deceptive form of theft is also known as phishing.
Though this risk is not new, it is evolving. Here are three trends amplifying the threat of BEC, and how businesses can better protect themselves from loss:
1. Stressed out, remote workforces make easier targets
According to the Anti-Phishing Working Group (APWG), . Insurers have undoubtedly seen a spike in claims since the beginning of the COVID-19 pandemic, which has exacerbated vulnerabilities in companies’ defenses.
With most employees working from home, employers lose some control over security. People have a tendency to utilize home networks and devices as workarounds to IT issues that arise in their employer’s internal system. That provides new avenues through which fraudsters can reach their targets, with less chance of being caught in company filters.
Additionally, employees are dealing with new levels of stress, balancing full-time work with homeschooling, childcare and in some cases eldercare, on top of fears over becoming infected with the virus itself. When people are under pressure, they’re more likely to give in to urgent demands coming from a presumably important vendor or business partner.
Fraudsters are capitalizing on the stress, uncertainty and occasional cyber security lapses of the past year, growing bolder in their tactics and demands.
2. Fraudsters are growing bolder and applying more pressure
In the classic BEC scenario, the thief poses as a vendor needing to update their banking information and requesting that future payments be sent to the new (fraudulent) account number. But businesses have grown wise to this plot, and perpetrators adapted by developing new ploys.
One emerging tactic involves the combination of a fraudulent email with a fraudulent phone call. The schemers may still pose as a vendor or other business partner, demanding an urgent payment. They then follow up immediately with a phone call, pretending to be a lawyer involved in the transaction. They may drop the name of the CFO or another senior manager.
People get flustered. Scammers know if they apply pressure, their target is more likely to do what they want them to do. Fearing that they’ve dropped the ball and wanting to avoid trouble, employees may make large transfers under these circumstances without verifying them.
Recently, fraudsters have also ironically posed as cyber security firms, hired by the recipient’s employer to strengthen defenses against the exact type of crime they are about to commit. By fashioning themselves as protectors offering a service rather than requesting a payment, they more easily gain employees’ trust – and access to their machines.
Once the fraudster gains access to a single computer, they can easily work their way through the target company’s internal network to obtain the information they need to re-direct funds transfers or shipments of goods.
3. Facing little risk of retribution, scammers are making off with larger sums
Latest figures from the U.S. Internet Crime Complaint Center reflect more than , accounting for half of all losses from every type of cyber attack. According to APWG, “BEC attacks that sought wire transfers from victim companies sought an average of $75,000 - a 56% increase from $48,000 in the third quarter of 2020.”
But some scams have cost companies tens of millions. In one well-publicized case, an employee at a major auto manufacturer followed instructions to wire $37 million to a third party, only to discover shortly after that the request was fraudulent.
Once funds leave the coffers, it can be next to impossible to recover them. Perpetrators are clever. They utilize banks in countries where corruption is rampant; countries that don’t do business with the U.S. Because the transfer is made willingly, there is little chance of regaining monies once in the possession of those foreign banks.
For public companies, large losses can have other negative downstream effects, including a degraded stock price, and the subsequent potential for shareholder lawsuits.
How to protect yourself from BEC
A few basic checks and balances can help companies reduce their vulnerability to BEC scams. Best practices include:
Greg Bangs is SVP, Crime Regional Leader - North America at AXA XL. He can be reached at gregory.bangs@axaxl.com.
Cybercrime on the OT: Hackers are accessing operations, not just networks
Global Asset Protection Services, LLC, and its affiliates (鈥溕喽嗍悠礡isk Consulting鈥) provides risk assessment reports and other loss prevention services, as requested. In this respect, our property loss prevention publications, services, and surveys do not address life safety or third party liability issues. This document shall not be construed as indicating the existence or availability under any policy of coverage for any particular type of loss or damage. The provision of any service does not imply that every possible hazard has been identified at a facility or that no other hazards exist. 色多多视频Risk Consulting does not assume, and shall have no liability for the control, correction, continuation or modification of any existing conditions or operations. We specifically disclaim any warranty or representation that compliance with any advice or recommendation in any document or other communication will make a facility or operation safe or healthful, or put it in compliance with any standard, code, law, rule or regulation. Save where expressly agreed in writing, 色多多视频Risk Consulting and its related and affiliated companies disclaim all liability for loss or damage suffered by any party arising out of or in connection with our services, including indirect or consequential loss or damage, howsoever arising. Any party who chooses to rely in any way on the contents of this document does so at their own risk.
US- and Canada-Issued 色多多视频 Policies
In the US, the 色多多视频insurance companies are: Catlin 色多多视频 Company, Inc., Greenwich 色多多视频 Company, Indian Harbor 色多多视频 Company, XL 色多多视频 America, Inc., XL Specialty 色多多视频 Company and T.H.E. 色多多视频 Company. In Canada, coverages are underwritten by XL Specialty 色多多视频 Company - Canadian Branch and AXA 色多多视频 Company - Canadian branch. Coverages may also be underwritten by Lloyd’s Syndicate #2003. Coverages underwritten by Lloyd’s Syndicate #2003 are placed on behalf of the member of Syndicate #2003 by Catlin Canada Inc. Lloyd’s ratings are independent of AXA XL.
US domiciled insurance policies can be written by the following 色多多视频surplus lines insurers: XL Catlin 色多多视频 Company UK Limited, Syndicates managed by Catlin Underwriting Agencies Limited and Indian Harbor 色多多视频 Company. Enquires from US residents should be directed to a local insurance agent or broker permitted to write business in the relevant state.
