A common belief of identity theft is that it occurs mostly to individuals, for example when social security numbers and other personal information are obtained. Businesses are also subject to identity impersonation. The remainder of this article discusses business e-mail scams, and the best practices for minimizing their likelihood as suggested by the Federal Bureau of Investigation (“FBI”).
Regardless of the nature of your business, anyone opening an e-mail is a potential target for hackers. These illegitimate e-mails or “phishing e-mails” imitate e-mail addresses you would commonly send mail to or receive mail from.
Keith Kelly of the New York Post recently reported that Bonnier Publications was defrauded of $1.5 million. Bonnier is a leading magazine publisher with offices in New York City and Winter Park Florida. According to Kelly, the cyber hackers breached the e-mail of then CEO David Freygang – who weeks after the scam stepped down from his position. An e-mail hacker impersonating Freygang instructed a Bonnier accounting department employee to wire transfer $1.5 million to China. Days after their first scam, cyber hackers made a second attempt at defrauding the media company. This time employees of Bonnier Publications were successful in thwarting off the thievery of the hackers and saved the firm from another $1.5 million scam. Kelly reports that the Chinese international authorities have been “uncooperative” and have “not been helpful in identifying the owner of the account that was receiving the stolen money”. Frequently once the funds are out of the United States they are gone. It is difficult for firms and individuals to ever recoup their funds.
In 2014 American businesses were robbed for over $200 million. The average amount lost in a case of this nature was $150,000. Approximately 2,000 American businesses have been negatively affected, and the number of victims is expected to grow rapidly as computer hackers increase in their ability.
We are all potential victims for attacks, but most likely to be preyed upon are companies that send wire transfers and do not have proper internal controls. It is for this reason that the FBI has issued a fraud alert on wire transfers in an effort to vigilantly prevent and monitor any potential cybercrime. The FBI has a name for cyber scams such as the one Bonnier suffered, business e-mail compromise scams (BEC). In response to the rise of recent cyber attacks, the FBI has released guidelines and measures to prevent loss and repeat attacks on innocent U.S businesses. The IC3 Public Service Announcement does just that.
SUGGESTIONS FOR PROTECTION
The IC3 suggests the following measures to help protect you and your business from becoming victims of the BEC scam:
- Avoid Free Web-Based E-mail: establish a company website domain and use it to establish company e-mail accounts in lieu of free web-based accounts.
- Be careful what is posted to social media and company websites: job duties/descriptions, hierarchal information, and out of office details.
- Be suspicious of requests for secrecy or pressure to take action quickly.
- Consider additional IT and financial security procedures and 2-step verification processes:
- Out of Band Communication: establish other communication channels, such as telephone calls to verify significant transactions. Arrange this second-factor authentication early in the relationship and outside the e-mail environment to avoid interception by a hacker.
- Digital Signatures: both entities on either side of transactions should use digital signatures. However, this will not work with web-based e-mail accounts. Additionally, some countries ban or limit the use of encryption.
- Delete Spam: immediately delete unsolicited e-mail (spam) from unknown parties. Do NOT open spam e-mail, click on links in the e-mail, or open attachments. These often contain malware that will give subjects access to your computer system.
- Forward vs. Reply: do not use the “Reply” option to respond to any business e-mails. Instead, use the “Forward” option and either type in the correct e-mail address or select it from the e-mail address book to ensure the intended recipient’s correct e-mail address is used.
- Significant Changes: beware of sudden changes in business practices. For example, if a current business contact suddenly asks to be contacted via their personal e-mail address when all previous official correspondence has been on a company e-mail, the request could be fraudulent. Always verify via other channels that you are still communicating with your legitimate business partner.
If you believe that your business may have received a fraud email or is victim to BEC, we recommend that you immediately file a complaint with the IC3 at www.IC3.gov . Remember to protect business information because the business saved could be your own. We would be glad to help you to review your internal controls over wire transfers. Please call us at 212-605-0276 if you have questions or would like additional information.