For some time, Business Email Compromise scams have threatened a company’s bottom line, luring and duping finance professionals into making erroneous payments to fraudsters. For those not aware of Business Email Compromise, this rapidly growing cyber scam involves fraudsters targeting a company by way of their suppliers. It’s become so pervasive it’s earned its own acronym: BEC.
BEC often starts with a phishing attack aimed at securing the login credentials to a supplier’s email system but that’s only the first move. The ‘Endgame’ (sorry, Marvel) is to use those login credentials to send seemingly legitimate e-mails from authentic sources, the supplier’s Accounts Receivable team or the CFO, informing their customer (and the fraudster’s target company) of a change in bank details or invoices containing the fraudsters bank details.
This social-engineering aspect of the scam is so difficult to detect because, the e-mail address of the sender is real, there are no suspect attachments, and the email is often written in the appropriate language style and nuance of the sender. It’s a ‘normal email’ from a trusted source and as a result payment is often made. It’s worth noting that the deception goes further in that the fraudsters will put filters in the suppliers’ e-mail system, such that they can intercept and respond to any e-mail queries from the target business.
But what if you fell for the scam and the company sued you personally for losses?
It sounds farfetched but it isn’t far away.
In the UK there is a lawsuit against an employee of Peebles Media Group, Patricia Reilly, who received emails from a hacker impersonating her boss and requesting wire transfers. Reilly wired more than $250,000 before realising it was a scam. Not only did the company fire her, but it is also suing her for the remaining $138,000 it was not able to recover.
This lawsuit raises a very challenging and precarious debate: BEC and other cyber scams, now no longer just endanger an organisation’s finances, BEC now puts at risk employees’ individual reputations, personal finances, and arguably their current and future livelihood. It will certainly also impact their wellbeing. In addition to the lawsuit, we know of businesses that are expressing concern about finance staff stress levels as a result of being made responsible, never mind accountable, for avoiding erroneous payments. This added stress may lead to resignations and retention issues.
The suing of an employee who is in fact victim to a scam certainly opens a new ‘impact frontier’. In addition to being emotionally vulnerable, staff may now be legally vulnerable. Finance departments, which were once safe zones, become high risk workplaces.
And with companies using yesterday’s tools to fight tomorrow’s problems, they are exposing themselves and their staff to fraud with devastating repercussions.
In the UK case, lawyers for Reilly are seeking to dismiss the claim saying she had not received any training on how to identify online fraud. While it seems unfair for a company to hold an employee that they haven’t trained in fraud detection accountable, training may still not help.
Even a well-trained person may not detect a BEC driven compromised email, because it doesn’t have the identifiable markers usually found in less sophisticated scams. The email addresses, supplier logos, details and even language are mimicked so you believe you are dealing with the real thing.
If businesses want real protection, they need to do more than just train their teams. Staying up to date with the latest scams is important and sharing this information with employees and trading partners is a start.
However, businesses needed to regularly review company practices relating to password and security controls. Then establish protocols such as separation of duties and independent verification for changes to bank account details or requests for unusual payments.
And finally, and perhaps most importantly, engage tools to enhance their security. eftsure has a unique Know your Payee (KYPTM) platform that provides businesses with rich data on suppliers in real time, before they pay the wrong supplier. This is achieved by verifying the supplier’s BSB and account and raising a red flag if the payment being made does not match. eftsure is the only company in Australia and possibly the world that offers this level of protection.
It is a combination of all of the above that will dramatically reduce the risk of BEC scams to your business.
No one is immune. Small businesses, SMEs and even global tech giants like Google and Facebook have been affected by BEC scams with devastating consequences and these scams are hitting Australian businesses at an alarming rate.
Regardless of how this particular UK case plays out, it could set a legal precedent for future scams and with the increasing rate at which BEC scams are occurring, it won’t be long before cases like this reach our shores