Are you familiar with a Business Email Compromise or “BEC?” Well, it’s likely that you’ve seen the news stories, received the email blasts, your IT director or vendor has mentioned it once or twice, but you have thought – why would a scammer target me? My company doesn’t fit the profile of Equifax or Home Depot, no one is going to target my business. You are wrong. If this issue is not at or near the top of your business’ threats assessment, it should be.
When forensic and IT professionals in this space describe the threat, it is in terms of “when”, not “if.” Every American business is being targeted and you can do little to prevent your company from being attacked. But you can take steps to be ready when it happens.
- Get educated. How are scammers attacking businesses this month? The Federal Bureau of Investigations has an entire division focused on cyber-crimes. This agency is one resource for staying on top of new trends in how businesses are being attacked from cyberspace.
For example, a common cyber scheme is a BEC Scam or “Business Email Compromise.” These scams take multiple forms and are often aimed at businesses that regularly perform or accept wire transfer payments. The scammer may send your accounts payable department fraudulent wire instructions and escape with the funds as soon as they hit the fraudulent account. It may be days or weeks before your company – or your customers’ company – even notices.
The fraudulent instructions may come from a hacked or spoofed email system – or a combination of both. In the end, your business may find itself paying twice for the same products or services or not paid at all if a customer refuses or is unable to pay twice.
- Assess where your largest vulnerabilities are to the common schemes. Do you have longstanding relationships with the customers/vendors you are sending wire transfers to or are you communicating with a nameless/faceless off-shore accounts payable department? Do you have written policies and procedures to ensure you regularly train your employees on how to handle irregular or changed payment instructions? Who has access to your IT infrastructure and how is that access audited and safeguarded from intrusion? How vigilant and aware are your staff to these potential threats? This assessment should be a collaborative process with your IT staff or a third-party vendor so you can truly understand where your vulnerabilities might be.
- Put in place cost-effective safeguards to prevent, mitigate and insure against potential cyber threats. These safeguards can range dramatically based on the individual business. Some businesses do not accept wire transfer payments and insist on mailed checks. All businesses should invest in training their accounts payable teams and management to spot BEC scams. All businesses should also investigate cyber-insurance that covers both business interruption and the potential for business loss in the event of a BEC Scam. And, you need to plan for the worst-case scenario. How will your company respond if your servers are locked down by ransomware? Who will you contact if your AP team is duped by a BEC scam and accidentally wires $100,000 overseas?
Continuous education, a thorough risk assessment, and implementation of targeted safeguards will go a long way to prevent future cyber attacks on your company and mitigate the damages if an attack is successful. And, in the unfortunate event a cyber attack results in a dispute with a vendor or customer, a member of the BFV team can assist in assessing who bears legal and financial responsibility for the loss.