Business email compromise, or BEC, is a cyberattack that involves sending emails to businesses with fraudulent requests for money. It’s an easy way to get your hands on funds without actually having access the bank account and you should know how it works before it impacts you.
Business email compromise is a type of cybercrime where hackers steal confidential information from business accounts. It can happen when someone sends an email to your company’s IT department and asks for help with their computer, but the hacker has actually sent it to themself. The hacker then uses that information to access your company’s network and steal data or commit other crimes. Read more in detail here: how does business email compromise work.
As most people are aware, email fraud is on the increase. What is startling, though, is the growth in phishing email scams among financial advisers. Business email compromise scams are the name for these sorts of phishing assaults (BEC scams).
According to a 2018 SEC analysis, corporate e-mail hack assaults cost publicly listed corporations over $5 billion in financial damages between 2013 and 2017. While BEC scams impact a wide range of businesses, financial advisers are particularly vulnerable since they have money. It’s your money.
In this post, we’ll look at:
- Learn all there is to know about BEC scams.
- Discuss the many sorts of BEC scams.
- Cover two real-life customer case studies where BEC schemes were attempted.
- Describe how you and your financial adviser may avoid being duped by a BEC scam.
Let’s start with an explanation of what a BEC scam is.
What is a BEC rip-off?
According to the FBI, a BEC scam is sending an email message posing as a genuine request from a recognized source.
This may look like this:
- When a firm utilizes a vendor, the vendor sends an updated postal address for invoice payments.
- A title firm sends a message to a homebuyer with advice on how to wire the down payment for closing.
- They received an email from their bank’s finance department requesting private information to be verified.
Posing as a customer and sending an email to deposit money to their bank account, like in the case of financial advisers. We’ll go over this in more detail later, but first, let’s look at some of the ways used by thieves to perpetrate BEC schemes.
How Do Criminals Conceal BEC Scams?
Scammers use a variety of methods to carry out BEC frauds. Here are four of the most popular methods used by fraudsters to carry out BEC assaults.
Phishing campaigns are emails sent from an attacker’s account that attempt to dupe unsuspecting victims into providing sensitive information to the attacker. This information might be only one aspect of what the scammer needs to execute the hoax.
Phishing emails may be customized to gather any sort of information, such as:
- Information about money
- Information that may be used to identify you (PII). PII refers to personally identifiable information that isn’t deemed public. Social Security numbers and driver’s license numbers are two examples.
- Information about a payment, such as an account number
For a long time, the FBI has been warning Americans about phishing. The FBI’s Internet Crime Complaint Center issued a public service message in 2018 describing how hackers utilize social engineering tactics to collect payroll information from workers. Here’s how it works:
- Phishing email is sent to a targeted employee’s email account by a cybercriminal.
- Employee’s corporate account login credentials are obtained by a criminal.
- Employee salary is diverted to phony bank accounts by a criminal.
- Employee’s account is locked, and the employee no longer has access.
Another scenario is when a USAA member receives an email from USAA requesting that they update certain information on file. However, it’s possible that it’s not from USAA.
And that’s because the hacker may have fooled it.
Spoof emails are created when BEC attackers alter a real email address or website address slightly.
Your buddy John Smith, for example, writes you an email from his account: [email protected] John, on the other hand, does not have a Gmail account. His e-mail address is hotmail.com.
The attacker created the Gmail account as a bogus email account. And any answer to this email is sent to the attacker’s email account.
Alternatively, you may be sent to a slightly different URL for a website you often visit. That website looks nearly comparable to the regular website, thus it passes undetected.
For instance, the insurance site of USAA (hyperlinks deleted) is:
https://www.usaa.com/inet/wc/auto-insurance?wa ref=pub global products ins auto
This doesn’t seem to be all that different from
https://www.usaaa.com/inet/wc/auto-insurance?wa ref=pub global products ins auto
The additional ‘a’ in the second link would only be seen by a keen eye. This link would take the victim to a website controlled by the cyber criminal.
The harmful URLs are often concealed in the content. It’s impossible to tell whether it’s the actual thing because of this.
Phishing with a specific intent
Spearphishing is similar to spoofing, but that it involves a communication that looks to come from a trustworthy sender and requests sensitive information from the target.
Spear-phishing, unlike phishing, which is essentially a game of numbers, is a focused assault.
Employees of a firm might be the target of this assault. However, rather than obtaining personal information, the goal might be to get corporate data.
Criminals are increasingly using spearphishing to enter businesses.
Scammers already know a lot about most individuals because to social media and publicly accessible information.
That spear-phishing email with the subject line “We’re examining our records, please verify your account” is merely an effort to gain that final piece of information that isn’t public.
This might include account numbers, PINS, passwords, user names, or other information, just as in typical phishing attempts.
Whalefishing is a kind of spearphishing that is very focused.
Whalephishing focuses on top executives, such as the CEO of a firm, who may have the most access inside the corporation.
Malware, or malicious software, is often used to obtain access to enterprise networks and documents. Typically, this takes the form of a malicious attachment.
This information is often used to timing requests or communications so that access personnel do not challenge payment requests. Malware may also be deployed inside a company to acquire access to an individual employee’s email account or customer data, which can then be utilized in future assaults.
Scams Against Financial Advisors by the BEC
The most concerning trend is that fraudsters are targeting financial advisers with their corporate email breach schemes. Without the customer having done anything wrong, a successful BEC assault against an unknowing adviser may wipe out their clients’ funds!
Here are three reasons why financial advisers are being targeted by BEC scams.
The foundation for trust has already been laid.
It takes a lot of faith for investors to put their money in the hands of a financial adviser. We spend a lot of time talking about financial planning’s technical parts, such as investing, Roth conversions, and tax planning.
But the fact is that trust is a two-way street. As a result, a financial adviser may be ready to believe an email from a customer concerning wire transfer payments. Even though they need to be on the lookout.
This is due to the fact that most financial advisers are quite busy. They are in charge of their own tiny company.
Small company owners make up a large percentage of financial advisers.
Small business entrepreneurs understand how much time it takes to manage a successful company. You’re probably in charge of compliance if you’re the CEO and the head janitor.
The majority of financial advisers keep their compliance processes up to date. Otherwise, the Securities and Exchange Commission (SEC) or their state’s regulatory agency would shut them down.
Cybersecurity is also becoming a higher priority for auditors. However, not all financial experts are on board with the message.
Finally, there’s another reason fraudsters are targeting the accounts your adviser manages.
That’s where all the cash is hidden!
The Investment Advisory Association claimed that SEC-registered investment advisers handled approximately $110 trillion in 2020. This is an increase from $43 trillion in 2010.
As a result, fraudsters have a strong incentive to target the accounts that your adviser manages on your behalf.
We had numerous attempted BEC frauds while I was a financial adviser. Fortunately, we were not duped, and our customers’ funds were not lost.
Let’s go through each one so you can keep an eye out for what these folks are up to.
Case Study #1 of the BEC Scam
A customer sent us an email requesting that a big amount of money be moved from her investment account to a “relative.” It instructed us on how to transmit the wire in the proper manner.
Our customer’s request for wire transfers was unusual since we had bank account transfer information for this client on file. We were also cautious since we are familiar with our client’s personality. This email seemed to be out of the ordinary.
We phoned to confirm that this was really what she intended as part of our standard verification processes. “No,” the client said. This email was not sent by me. Thank you for informing me; I’ll investigate.”
When she checked into it, she discovered that someone had obtained access to her email account and had been monitoring her emails for some time. The culprit prepared an email that seemed to be identical to previous communications in the hopes that we would just comply with the request.
The attacker then removed the spam email from our client’s ‘Sent Emails’ folder in the hopes that he or she would not notice it.
This customer would have lost a lot of money if our personnel hadn’t been on the lookout or if our business hadn’t put systems in place to validate email inquiries.
Case Study #2 of the BEC Scam
This effort was a bit more subtle, a little more intricate, and a little more devious than the last one.
Another consumer requested $5,000 be sent to his bank account by email. This customer requests $5,000 or $10,000 every now and again, so it didn’t seem unusual at first.
At the same time, he got an email from his wife requesting a $5,000 transfer to another account. We phoned, checked, and processed the request as per our standard protocols in this circumstance since the customer truly needed the money.
His wife’s email, on the other hand, had been hacked, and neither spouse was aware of it. The fraudster was seeing his typical procedure play out as she was copied on the email conversation concerning the initial money transfer.
When the fraudster saw that the initial transfer had been completed, he or she sent the second email. Our customer was worried that we’d been copied on that email (we hadn’t) and told to make a transfer to an unknown bank account.
We had phoned to confirm his request, so he was confident that we would call to confirm the second request as well.
Our firm’s protocols and our client’s knowledge in this situation prevented the email breach from becoming more severe.
Your adviser should be on the lookout for fraud at all times.
What You Can Do to Avoid BEC Rip-Offs
There will always be those who try to defraud you. Perhaps you maintain a modest web presence. Even so, a highly motivated individual is likely to find enough publicly accessible material to work with.
BEC scams, on the other hand, only succeed if the scammer can get that essential piece of information that isn’t readily accessible online. For instance, a password here, a PIN number there, and security questions (such as what color was your first car?).
There are, however, steps you may do to safeguard yourself. Although several of these security techniques are well-known, they are worth mentioning:
Maintain the most recent versions of your antivirus and anti-malware software.
The simplest approach to accomplish this is to download and install updates on a regular basis. Although updating software is annoying, it is the most effective approach to keep your antivirus software up to date.
Management of passwords
It’s not enough to just keep your password to yourself. Hackers are getting smart nowadays. Here are some tips on proper Management of passwords.
Use passwords that are difficult to guess.
Everyone understands that a mix of letters, numbers, and special characters should be used. Passwords of 8 to 10 characters were widespread a few years ago. Security gurus are increasingly recommending passwords of 16, 20, or even 25 letter, number, and character combinations.
For each website, use a separate password.
What if one of your accounts is hacked? Your hacker is likely to try your login details elsewhere.
You’re doomed if you use the same combination everywhere.
To keep passwords safe, use a password manager.
If you have a manager that remembers everything for you, it’s much simpler to stay on top of password maintenance.
If you only use Apple devices, the iCloud keychain will almost certainly enough. Your information is also safeguarded if you lose your phone thanks to biometric data such as facial recognition or fingerprint scanning on iOS devices.
If you switch between various operating systems often, you may want to consider investing in a third-party password manager. You may also use a password manager to keep track of your passwords.
For your logins, use two-factor authentication.
When a log-in needs the entry of a code (typically delivered through SMS or email) before granting access, this is known as two-factor verification. This is required for most bank accounts to help safeguard against fraud.
Pause when you get an email from “someone” asking you to do anything.
Look for mistakes in the sender email address (not the name). If you get an email prompting you to log into a website (such as your bank’s website), don’t immediately click the link. Instead, enter the URL into your browser and log in from there.
Call a close friend or family member if you see anything unusual.
Check to see whether they really sent the email. Similar frauds are also appearing on social media sites such as Facebook and LinkedIn.
But instead of responding to the email, pick up the phone and dial.
Sign up for the Federal Trade Commission’s fraud warnings.
Visit the FTC’s website for further information. You may report frauds, learn more, or sign up for email updates from there.
Hold your trustworthy advisors to account.
The majority of banks follow standardized processes and are likely to be up to date on the most recent banking rules.
Your smaller professionals, on the other hand, who have access to your money and personal information, may not have access to corporate resources, IT budgets, or the infrastructure needed to safeguard it. Consider the roles of an accountant, an estate attorney, and a financial adviser.
However, they should take reasonable precautions to protect your personal information.
What can my adviser do to keep my data safe?
Your financial adviser might (and should) be doing more to secure client data even if there are no corporate budgets.
The Securities and Exchange Commission (SEC) and the Financial Industry Regulatory Authority (FINRA), which regulates broker-dealers, are both pushing down on advisers who do not have enough safeguards in place. Financial advisers who have not contacted to check customer information have been punished by FINRA (as mentioned above).
The following is a list of what your financial advisers may do to secure your accounts, as well as how you can check it:
Have systems in place to authenticate a client’s identification whenever a request for money to be transferred out of their investment account is made.
This should be done over the phone, not over text, email, or social media.
Before your money left your account, your adviser should have personally called you to verify the request. If so, you should ask your adviser to set up a standing order so that money does not leave the account until you specifically authorize it.
Your adviser should adhere to the same (and higher) standards as you do.
The preceding list was a rather simple set of typical identity-protection protections that everyone should have in place. More information should be available to your adviser.
Procedures should be established in your advisor’s compliance handbook.
A compliance handbook is needed of every registered investment adviser. It’s essentially their ‘rulebook’ for how things should be done in the company. It’s also the first item the auditor looks at during a surprise audit.
At a minimum, your advisor’s compliance handbook should include:
- Employee education
- Password protection
- Encrypting data
- Standards for software
- Where is client data kept?
- How do persons outside the office have access to customer data? (working from home, public wi-fi areas, etc).
- Physical safety is important.
- Website safety
- Protection against viruses and malware
Any employee should respond to any query in the same way.
During an audit, an auditor verifies that all workers are following the compliance manual’s rules and recommendations. After all, if no one observes the rules, what use is the compliance manual?
For a lone adviser who does most (if not all) of their own work, this isn’t normally an issue.
If you’re a customer of a bigger business, though, one of the risk areas may not be the adviser, but the quality of the personnel. In a bigger business, the individual who actually processes your money transfer may not be the adviser, but rather a member of the support staff. It doesn’t matter what the adviser says to you if that individual isn’t adequately trained.
You shouldn’t receive two different responses on how to conduct a money transfer from two distinct staff employees in a well-managed office.
If the adviser says, “We’ll call to double-check before we transfer any money,” you should receive the same response from everyone other.
And if there are two or more persons who could perform the job, they should all be able to state the same thing. This is a hallmark of a company that follows established security standards. That company will most likely safeguard you against fraudsters and identity theft.
Your advisor’s security should be multi-layered.
Good security isn’t any ONE of these. It’s ALL of these, layered on top of each other—Password protection, Physical safety is important., private wi-fi connections, etc. to make your firm a hard target.
Your adviser should be able to transmit and receive papers in a secure manner.
Email is not included since it may be hacked. A customer portal on the firm’s website or a third-party provider with strict encryption requirements might be used.
Your adviser should assist you in remaining responsible for your personal safety.
You’re just as strong as your weakest link when it comes to cybersecurity.
Scams involving the BEC are genuine. They’re particularly frightening because if your financial adviser falls for a con, it might have a direct effect on you. So speak to your financial adviser about the efforts they’re doing to secure you, your information, and your money.
Business email compromise is a type of cybercrime where fraudsters impersonate company executives to gain access to sensitive information. According to the “business email compromise statistics“, an estimated $5 billion has been lost in recent years due to this crime.
- business email compromise format
- secret service business email compromise
- how does the fbi contact you
- business email compromise ic3
- frauds list