Skip to content

October Is National Cybersecurity Awareness Month – Be Cyber Alert and Guard Against Business Email Compromise

October 8, 2021

This month is the 18th Annual National Cybersecurity Awareness Month in the United States, sponsored by the Cybersecurity and Infrastructure Security Agency and the National Cyber Security Alliance. This year’s theme is again “Do Your Part. #BeCyberSmart.” Being Cyber Smart includes awareness of current threats like business email compromise (BEC), phishing, ransomware, and supply chain compromise. This Alert addresses BEC.

Business Email Compromise (BEC) is a growing cybercrime epidemic, with staggering losses to businesses and organizations of all sizes. BEC is a scheme in which an attacker uses fraudulent email to impersonate an executive, business contact, or other person to get a transfer of funds, money, or sensitive information.

BEC takes multiple forms. It sometimes involves spearphishing (fraudulent, targeted email) that appears to be from a business executive, business contact, or party to a transaction. It can also involve a fraudulent email from a legitimate email account to which a criminal has obtained access by social engineering or a computer intrusion. When BEC involves the takeover of a legitimate email account, it is called Email Account Compromise (EAC). The FBI’s Internet Crime Complaint Center (IC3) reported that the adjusted losses for BEC incidents reported in 2020 were almost $1.9 billion, the highest losses for any crime.

A common form of BEC is fraudulent wire transfer instructions, like a fraudulent email, appearing to be from a CEO or other senior official (COO, CFO, etc.), with instructions to immediately pay “a vendor,” or appearing to be from a vendor, with new wire transfer instructions to a criminal’s account. A variation is an email that appears to be from the attorney or real estate agent for a seller, with fraudulent payment instructions for the proceeds of a real estate sale or to a buyer to “hijack” the wire transfer of the payment of the purchase price. Another common example is the W-2 scheme, in which a fraudulent email, appearing to be from a corporate officer, directs an employee in payroll to send copies of W-2 tax forms to him or her by email. The information from the W-2s is then used to get refunds from fraudulent electronic tax returns. In schemes involving EAC, the fraudulent emails may be sent from legitimate accounts.

Businesses and organizations can best prevent BEC/EAC and mitigate losses, if they occur, by:

  • Adopting policies and procedures (like verifying and reconfirming payment instructions or changes and information requests from a known contact not provided in the email and prompt reporting of phishing attempts and security incidents);
  • Conducting ongoing security awareness training;
  • Implementing security technology (like spam filters, external email flags, multifactor authentication, use of secure email), and
  • Implementing incident response plans for BEC/EAC, including steps like (1) promptly notifying management, the bank, data breach counsel, the FBI and IC3, other law enforcement, and insurance carriers, (2) containing any compromise, by, for example, conducting a global password reset and checking for any suspicious email rules, and (3) preserving evidence.

If you have questions about the content of this alert, please contact David Ries (dries@clarkhill.com; 412.394.7787), Melissa Ventrone (mventrone@clarkhill.com; 312.360.2506), or another member of Clark Hill’s Cybersecurity, Data Protection, and Privacy Group.

Subscribe for the latest

Subscribe

Related

Event

Webinar: Special Education Bootcamp - Compliance Foundations Under IDEA

Whether you are new to special education leadership or looking to reinforce your foundational knowledge, this interactive webinar will provide a comprehensive overview of the core compliance requirements under the Individuals with Disabilities Education Act (IDEA). Designed for school leaders who are responsible for ensuring legally sound practices, this session will offer practical tools and strategies to help participants navigate common procedural and substantive pitfalls, support sound decision-making, and build a compliant and student-centered special education program.

Explore more
Event

Telehealth Week Webinar 2025: Navigating Legal Changes and Future Trends for Healthcare Providers

Join Paul Schmeltzer, Carrie Foote, and John Howard for our one-hour annual Telehealth Week webinar, focused on the evolving legal landscape of telehealth. This session will cover key topics, including the upcoming DEA final rule on prescribing controlled substances via telehealth, federal reimbursement concerns for telehealth, and what healthcare providers need to prepare for other upcoming changes.

Explore more
Event

Webinar: The Transatlantic Tightrope: AI, ESG and the Evolving Duty of Care for Multinational Companies

Join Mariah Leffingwell and Sam Saarsteiner for a conversation, moderated by co-chair of Clark Hill’s ESG & Sustainability advisory practice, Maram Salaheldin,  that bridges the Atlantic—and the gap between innovation and accountability—as they explore how today’s duty of care must adapt to tomorrow’s technologies.

Explore more