October Is National Cybersecurity Awareness Month – Be Cyber Alert and Guard Against Business Email Compromise

This month is the 18th Annual National Cybersecurity Awareness Month in the United States, sponsored by the Cybersecurity and Infrastructure Security Agency and the National Cyber Security Alliance. This year’s theme is again “Do Your Part. #BeCyberSmart.” Being Cyber Smart includes awareness of current threats like business email compromise (BEC), phishing, ransomware, and supply chain compromise. This Alert addresses BEC.

Business Email Compromise (BEC) is a growing cybercrime epidemic, with staggering losses to businesses and organizations of all sizes. BEC is a scheme in which an attacker uses fraudulent email to impersonate an executive, business contact, or other person to get a transfer of funds, money, or sensitive information.

BEC takes multiple forms. It sometimes involves spearphishing (fraudulent, targeted email) that appears to be from a business executive, business contact, or party to a transaction. It can also involve a fraudulent email from a legitimate email account to which a criminal has obtained access by social engineering or a computer intrusion. When BEC involves the takeover of a legitimate email account, it is called Email Account Compromise (EAC). The FBI’s Internet Crime Complaint Center (IC3) reported that the adjusted losses for BEC incidents reported in 2020 were almost $1.9 billion, the highest losses for any crime.

A common form of BEC is fraudulent wire transfer instructions, like a fraudulent email, appearing to be from a CEO or other senior official (COO, CFO, etc.), with instructions to immediately pay “a vendor,” or appearing to be from a vendor, with new wire transfer instructions to a criminal’s account. A variation is an email that appears to be from the attorney or real estate agent for a seller, with fraudulent payment instructions for the proceeds of a real estate sale or to a buyer to “hijack” the wire transfer of the payment of the purchase price. Another common example is the W-2 scheme, in which a fraudulent email, appearing to be from a corporate officer, directs an employee in payroll to send copies of W-2 tax forms to him or her by email. The information from the W-2s is then used to get refunds from fraudulent electronic tax returns. In schemes involving EAC, the fraudulent emails may be sent from legitimate accounts.

Businesses and organizations can best prevent BEC/EAC and mitigate losses, if they occur, by:

• Adopting policies and procedures (like verifying and reconfirming payment instructions or changes and information requests from a known contact not provided in the email and prompt reporting of phishing attempts and security incidents);
• Conducting ongoing security awareness training;
• Implementing security technology (like spam filters, external email flags, multifactor authentication, use of secure email), and
• Implementing incident response plans for BEC/EAC, including steps like (1) promptly notifying management, the bank, data breach counsel, the FBI and IC3, other law enforcement, and insurance carriers, (2) containing any compromise, by, for example, conducting a global password reset and checking for any suspicious email rules, and (3) preserving evidence.

If you have questions about the content of this alert, please contact David Ries (dries@clarkhill.com; 412.394.7787), Melissa Ventrone (mventrone@clarkhill.com; 312.360.2506), or another member of Clark Hill’s Cybersecurity, Data Protection, and Privacy Group.