The wire transfer. When used responsibly, it is a fast and cost-efficient way for small businesses to transfer money. However, wire transfers are inherently risky and can be weaponized by cybercriminals. When combined with a Business Email Compromise (BEC) scam, wire transfers can be costly for unsuspecting businesses. In order to protect your organization against BEC scams, small business owners must understand the anatomy of the attack and the polices that need to be put in place.
We usually put the good stuff at the end, but we want to make sure our readers get the TLDR, most important takeaway from this entire post:
If you are sending a wire transfer, especially one that is born out of an email conversation, you must confirm everything. Confirm the recipient is who they say they are, confirm that the bank account hasn’t been adjusted, confirm that the request is legitimate, confirm the approval from the boss, confirm the email address is spelled correctly and isn’t a look alike address. And do so using a secondary communication method. Pick up the phone, call, and confirm. Be certain that the transfer is 100% legitimate. This simple concept and 5 minutes of extra effort could save your company from significant financial loss.
What is a Business Email Compromise Scam?
A BEC typically begins after a successful phishing attack on one of your business accounts. Once access is gained, the threat actor will monitor the account, sometimes for months, and learn how your business operates. In their time monitoring the account they learn schedules, policies, and personnel dynamics. All of which will be used to help legitimize their primary attack, requesting a wire transfer.
The cybercriminal will lie in wait for an optimal time to strike. Perhaps the president or CEO is out of town, making the confirmation of the request more difficult. Or maybe they notice an email conversation discussing payment to a client or a vendor. Once they have picked their moment, they strike by impersonating the CEO or a vendor and requesting the payment be made via wire transfer to an account they control. When executed correctly, these attacks are difficult to spot. All the insider knowledge the threat actor has gained while monitoring the account leads to an exceptionally convincing attack.
How can you protect your business?
Wire transfers are inherently risky. It is nearly impossible to identify or track the recipient and once the money is wired, it is unlikely you will ever be able to get it back. Avoid using wire transfers whenever possible. If you must utilize a wire transfer, here are a few concepts and policies to consider:
Require two employees to sign off on a wire transfer. This not only makes it more difficult for the cybercriminal to execute an attack, but it also doubles the odds that someone will notice an incongruity. If possible, the business owner, admin, or CEO should be one of the approvers.
As stated earlier, confirm everything. Require fund requests to be confirmed by a secondary form of communication. Meaning that if you have been working exclusively over email, use a phone call to confirm the request. Do not just reply to the email. If that account is compromised, spoofed or a look alike then you are still talking with the bad guy.
In addition to the last point, do not forget to confirm phone numbers. Do not trust the phone number in the signature. If the threat actor has control of the account, they can edit the signature too.
Meticulously inspect all emails requesting funds for red flags. For example, check the sending address for misspellings or edits. Make sure that the email came from @contoso.com. Not @conntoso.com or @cont0so.com with a zero instead of an o. When you are working hard and reading 1000 emails a day, it is easy to overlook these subtle inconsistencies.
Use multifactor authentication wherever possible, especially on email accounts. Microsoft states that enabling multifactor authentication eliminates over 99% of breaches. This can stop a BEC before it can start.
Train your staff. At the end of the day, a wire transfer request is nothing more than a bad guy asking for money. There are no sleek devices with blinky lights that will protect your business from an employee simply agreeing to a wire transfer request. It is critical that all employees know how to spot cyberattacks like phishing, BECs, and wire transfer scams.
It is vital for small business owners to be mindful of this style of attack as trends indicate that it will only become more common. By implementing the concepts and policies above, you can insulate your business from falling prey to a BEC or wire transfer scam. If you are interested in building a cybersecurity plan to protect your small business from all cyberthreats, including BEC scams, Salvus TG is ready to help. Reach out to us today or give us a call at 816-222-1100.