In the current corporate climate, any finance pro’s inbox could unintentionally become a gateway to big financial losses.
Business email compromise (BEC) scams have increased 136% in recent years.
How much have they cost your peers? In the U.S., $2.9 billion has been lost to BEC scams in the past five years. Those statistics come straight from the FBI’s Internet Crime Complaint Center (IC3).
You can’t be everywhere, and you certainly can’t guard every staffer’s inbox.
That’s why to protect to your company, your finance teams need to know both the typical methods used and effective defense strategies.
5 common, crooked tactics
What are the most common methods BEC scammers are using now? Here are the top five, per an analysis from IC3 and security provider Trend Micro:
- Supplier swindle. In these cases, scammers imitate a vendor your company has an established relationship with and request money for outstanding invoices.
- CEO fraud. After compromising an executive’s email, scammers impersonate him/her and ask for a money transfer. There’s often a sense of urgency, which can spur staffers to act quickly instead of questioning the email.
- Account compromise. Scammers hack an employee’s email and request invoice payments to vendors found in the address book or contact list.
- Attorney impersonation. Here, scammers pretend to be from a law firm and make requests that seem “crucial” and “confidential” to gain staffers’ trust.
- Data theft. Scammers attempt to access personal info (e.g., Social Security numbers, employee tax details) to file false tax returns or commit other types of identity theft.
Going on the defense
Big or small, automated or manual, all Finance departments should have these five defenses in place, advise security experts:
- Authentication. Two-factor authentication (2FA) makes it harder for scammers to access your accounts. (Here are full details on setting up 2FA with Microsoft Office accounts.)
- Verification. Requests, especially wire transfer requests, should be verified with a “prescribed series of steps” (e.g., in-person confirmation, phone call). Remind staffers to always use the contact info they have on file, not the info in the email request.
- Questioning. This one’s a mental habit you’ll want to ingrain in staffers’ minds: Just assume wire transfer requests are suspicious “until proven otherwise,” experts say.
- Training. Showing your finance teams what BEC scams look like (and testing them regularly) will keep everyone on their toes.
- Technology. Today, many security solutions can block known/suspected BEC emails. Investing in this tech could save your company from big losses – and may be a good topic to broach at your next budget meeting.
Want more defenses strategies? IRS has also outlined six that it believes are essential for cybersecurity.