Business email compromise (BEC) is a form of fraud that targets businesses in all industries. One of the main goals, of course, is getting at the money. To accomplish this task, fraudsters sometimes pose as third-party vendors and send an invoice to accounts payable departments asking for money to be wired overseas.

Using tricks as simple as slightly altering the email address (such as changing @legitvendor.com to @legit-vendor.com), these criminals often fool an unsuspecting employee into processing the request. Often, they’ll ask for relatively small amounts of money (perhaps “only” in the tens of thousands) so the request won’t flag a supervisor.

Some 75% of BEC attacks involve this type of email spoofing. This system is so successful, it has worked with even the largest Internet titans; in April 2017, it was revealed that both Google and Facebook lost $100 million to phony invoices, with scammers masquerading as their mutual hardware supplier Quanta.

While some vendors attempt to prevent fraud by issuing paper checks instead of allowing wire transfers, this method is more vulnerable than it seems. This is because it can be difficult to cancel a check and they can be easily replicated to create even more fraudulent transactions.

Payment Best Practices: Verify Vendors, Confirm Payment Requests

The best way to combat BEC, according to the FBI, is to first verify you are working with a legitimate vendor. This can be done by only dealing with companies that:

  • Hold the copyright, trademark, or patent to the merchandise in question
  • Use reputable companies (Best Buy, Staples, etc.) for all purchases
  • Have a physical address, working email and phone number

Once you have decided on a set of selected vendors, the FBI recommends creating a master vendor list; this list should be controlled/updated by someone who cannot also write checks or disperse funds.

When a vendor request comes in, invoice information should be compared to the master list. Additionally, invoices over a certain dollar amount should automatically require additional verification — calling the phone number on the official vendor list, contacting a supervisor, or both. Incoming messages from supervisors that have unusual requests or come from outside the traditional communications should also be confirmed through an established channel.

Security Awareness

Educate & Prepare Your Workforce With Security Awareness Training

The best way to ensure these vendor payment policies are implemented is to invest in a program that will both educate employees and assess company-wide security awareness.

To help you create, implement and enforce an effective BEC policy, InfoSec Institute created SecurityIQ, an awareness training and phishing simulation program. It offers 100s of modules on a variety of subjects tailored to employee role and security aptitude. Topics include phishing, BEC, social engineering and much more.

SecurityIQ also lets you create and distribute mandatory security policies through the platform, which employees can be required to sign off on before starting any courses. This ensures they both know about and agree to company requirements.

You can also use PhishSim™, the SecurityIQ phishing simulator, to monitor employee phishing susceptibility. It includes 800+ phishing templates in multiple languages and difficulty levels — including 20 BEC phishing simulations. PhishSim is powered by SecurityIQ analytics, so you can adjust simulation difficulty based on your team’s aptitudes, roles and past performance.

If your team takes the bait, they will learn exactly what they missed in real time. SecurityIQ analytics will log the event and enroll high-risk employees into additional trainin

Additionally, PhishSim recently introduced PhishNotify Defender™, an email plugin that adds a further layer of defense. Any users that fail simulations can have their email permissions dynamically modified so that they cannot click on any further links; PhishNotify also works as a tool for other employees to flag any incoming suspicious emails for quarantine.

As a whole, SecurityIQ will provide the training needed to help your workforce identify and prevent BEC attacks. To request a free 30-day SecurityIQ trial, visit securityiq.infosecinstitute.com or call (888) 930-3454.