Protecting your organization from business email compromise
Free on-demand webinar
By ATB Financial 11 May 2021 5 min read
Business Email Compromise — or spear phishing — is one of the most common types of fraud reported to the Canadian Anti-Fraud Centre, says Aisha Kitchlew, Senior Manager, Fraud and Cybercrime at ATB.
Spear phishing is when a fraud actor or threat group sends an email — ostensibly from a known or trusted sender — in order to lure the targeted individuals to reveal confidential information or transferring a large sum of funds to what they think is a trusted source or existing vendor.
The technique is popular among fraud actors and no business or organization is immune. Here’s what spear phishing has done to Canadian businesses:
- Business Email Compromise (BEC) is the second highest for monetary losses out of over 40 fraud types reported to the Canadian Anti-Fraud Centre.
- BEC has cost businesses worldwide more than $5 billion dollars.
- The Canadian Anti-Fraud Centre reported that as of March 31, 2021 Canadians have lost about $50 million to fraud.
- In 2020, Canadians lost over $106.4 million to fraud, $62.6 million of which was related to online fraud.
“These numbers still do under represent the scale of fraud that actually affected Canadians last year because the Canadian Anti-Fraud Centre does estimate that fewer than 5% of victims will actually file a fraud report with the agency or local law enforcement,” she says.
With how frequently and deeply Canadians businesses are being impacted by BEC today, in this webinar, Kitchlew will share how business leaders can educate themselves and their employees about BEC, also known as spear phishing, and will cover:
- Fraud statistics
- Phishing types and techniques
- The anatomy of spear phishing
- Major types of BEC
- Red flags
- Mitigation measures
Phishing campaigns will often use a tactic called social engineering: “Social engineering is when someone attempts to gain information from you through manipulation. In today’s world, they might leverage topics such as the public’s heightened fears of COVID-19, vaccinations related to COVID-19, or COVID-19 testing, and use your emotions against you and for you to disclose highly confidential information,” says Kitchlew.
She points out that social networking sites like LinkedIn, Facebook, Instagram, and others have made it easier for fraud actors to find out personal information about you to make a spear phishing attack more customized and believable. As a result, individuals and businesses need to be mindful of what is being shared on social media accounts.
Spear phishing is only one type of phishing attack. Kitchlew says this type of phishing attack is on the rise because it is so lucrative for fraud actors. This is especially true during the pandemic lockdowns since employees are relying more on technology to communicate and work together.
Other types of phishing campaigns include:
- Content spoofing: This is the art of disguising communication from an unknown source to a known source, says Kitchlew. Fraud actors can spoof email addresses, phone numbers, websites and even IP addresses.
- Pharming: This refers to malicious websites that are disguised as legitimate. For example, cyber criminals will create a website that looks legitimate and pay money to promote that website at the top of search engine results to lure victims to click on their website.
- Vishing/Smishing: These are phishing attacks conducted through phone calls or texts.
How spear phishing or BEC works: “Business email compromise [attacks] will aim to exploit the financial process controls that are designed and maybe implemented by your business to safeguard against fraud. That’s why it’s so important to know how they work and what controls you need to zoom in on to know that you're protected. Essentially, the fraud actors are targeting the employees of the business or organization, and not your technology” she says.
These emails don’t usually contain malicious links or attachments, so they often bypass traditional security email protections. Your best security measure is to equip your employees with enough knowledge on how to spot and report BEC, so they can act as a human firewall to protect your organization. Here’s what they need to know:
Step 1: Research
Fraud actors will deeply research a target company using open sources, such as their website, social media posts, press releases and other publicly available information.“They will access each and every public record to determine and learn about the dynamics of the business and the individual they are trying to target,” says Kitchlew.
Step 2: Obtain email addresses
To send the fake email to their victim, the fraud actor needs an email address to send it from. They obtain this email address in two ways, she says. The first is by obtaining access to an email inbox through something like a data breach, or a simple phishing attack. The second option is to spoof the victim’s email address, which means creating an email address that looks almost identical to an existing address but uses alternative numbers or capital letters to disguise it.
Step 3: Execute
“Now that the fraud actor has all of the details that they need — who they are going to target, what information they need to use, and an email address to send the request from — the final step, is to execute,” says Kitchlew.
The three common methods of BEC are CEO fraud, account compromise and vendor scams. Each will use information collected in the research phase to craft an email aimed at manipulating an employee into sending funds or making a payment. The content of the email will create urgency or pressure by suggesting reputational losses or severe outcomes are a possibility.
How to spot BEC: Kitchlew says these emails will typically include:
- Requests for personally identifiable information
- Atypical payment requests
- Urgent language
- Advance fee requests
- Anomalous account behaviour
- Sudden changes in norms, like process
Whenever you see an email that has any of these red flags, take a moment to check the email address, question the legitimacy of the request, and confirm any out of the ordinary requests by phoning the person who is asking.
How to mitigate the risks of BEC: To stop this type of fraud at your business, Kitchlew recommends the following:
- Review existing processes and procedures, segregation of duties for financial transfers.
- Add multiple signs to electronic transfers.
- Educate your employees about the types of scams, what to watch out for and what to do when they suspect fraud. You can also hire a company to simulate phishing campaigns as part of their training.
- Obtain verbal consent from the sender of an email when any red flags appear in their emails.
- Make multi-factor authentication mandatory at your business.
- Confirm the email address before taking action on a request to ensure it isn’t a fake address disguised to look credible.
- Partner with your bank to explore ways to prevent unauthorized transactions.
- Educate your employees so that they know what to look for.
“It might seem costly to implement security controls and update business practices, but accepting that risk or it being completely unknown is likely going to cost you more in the long run,” says Kitchlew.
You might be interested in
Learn how to integrate year round fraud prevention strategies.Watch recording
Business email compromise
Understand what these fraud attacks are, how to spot them and how to prevent them.Read article
Learn about account takeover fraud, including fraud tactics.Watch recording
While we want this information to be useful for you, we make no promise, representation or warranty about its accuracy or completeness. We don’t accept any liability or responsibility whatsoever for any loss arising from any use of this document or its contents. This information is not kept up-to-date. Without our prior consent, this document may not be reproduced in whole or in part, or referred to in any manner, including any information, opinions and conclusions it contains. This document is provided for information purposes only and is not intended to replace or substitute for professional advice.