How To Lose A Million Dollars In A Minute. Or Not.


Business email compromise is a generic sounding name for a type of cyberattack that can devastate your business. It’s so serious that losses to date are estimated to be in the billions. And there’s no real technology solution to BEC, as it’s known in the law enforcement community.

Business email compromise is a generic sounding name for a type of cyberattack that can devastate your business.

“We’ve released a public service announcement about business email compromise,” said FBI supervisory Special Agent Jill Mansfield. Mansfield said that the estimated losses globally are more than $26 Billion. And she said, there are new twists in this rapidly changing means of scamming businesses.

When the internet reaches out to touch you, it may not be a good thing.


Chances are you’ve heard about BEC, but perhaps not under that name. One type of BEC is what’s called CEO fraud, in which a company official with the ability to direct the transfer of funds from the company bank account, does so on the orders contained in an email. Generally, the email appears to come from the company CEO, and uses a rationale that the company is about to make a large acquisition or other large purchase, and that a large amount of money is to be wired to a bank account, the details of which are included in the email.

Once the money is transferred to the other bank, it’s nearly impossible to get back, because it’s then transferred again through a series of several accounts, making it difficult to trace. While the FBI can sometimes assist in getting the money back, it’s by no means a sure thing.

The Seal of the Federal Bureau of Investigation is seen in this undated photo. (AP Photo)


Meanwhile, the attackers have added new twists, which Mansfield said is payroll diversion. “Company payroll departments are being contacted,” she said. “They receive an email requesting that their direct deposit be changed.” But of course the email is really from a spoofed employee account.

“Some companies have reported that employees have received phishing emails before the criminal sends email,” Mansfield said. Those phishing emails come to employee email addresses that are either available on the company website, social media or on the dark web. While those phishing emails may also have other purposes such as getting login credentials, at least part of the reason they’re sent is to confirm that the person is still employed and getting email.

A similar attack involves vendors and suppliers. According to Mansfield, these attacks consist of an email to the company’s accounting department informing them of new banking information for direct payments. The new banking details are for the attackers, as you might expect, and payment for goods or services gets directed to them. Depending on the vendor this can amount to significant amount of money before the diversion is found.

Taking action to prevent these attacks requires you to make changes in how you protect your company information, how your payment procedures work and how you train your employees. A great deal also depends on how security aware your employees are.

“It ultimately needs to start with a security culture. It needs to be driven by the C-level in the organization, but the best is that the board and the CEO are buying in on the security concept,” said Stu Sjouwerman, CEO of Knowbe4, a security training firm.

Sjouwerman said that it helps to get started by determining the level of training by your employees, then determining how much they know about security and finally how motivated they are to take action. He said that his company provides a free phishing test to see whether your employees are aware of the right way to respond to attacks.

While phishing attacks are only part of the problem of BEC attacks, the awareness of phishing and the social engineering that goes with it also goes a long way in helping your employees understand the social engineering that goes with BEC and CEO fraud.

Once you’re satisfied that your employees have a working knowledge of phishing and social engineering, it’s time to move on to the next steps. At the top of the list of next steps is a change to your procedures when it comes to money transfers of any type.

First, require out-of-band confirmations of any email request to send money or to change information about payments of any type. Out-of-band means that the confirmation needs to take place through some means other than however the request came in. Normally this might mean a voice phone call to whoever requested the change, using a number that’s already in your HR records, not the number that came with the email.

But because some types of fraud also use the phone, it’s important that you initiate the call from numbers you already have. Don’t just return a phone call to the number that may have been involved in a request. You may also want to develop a code word for what might be considered major requests to prevent a confirmation call going to a hacked phone system.

Second, create a companion policy that ensures employees that they will never be punished for following the above procedure, even if it slows down a money transfer that you’re in a hurry to see happen.

Note that those confirmation calls need to be made to employees changing their banking details, or to suppliers changing their payment information. These payments amount to thousands of dollars, and not protecting yourself can result in your company losing the money. And don’t count on your insurance company covering it for you.

“There is case law that requires an organization to provide protection against threats at a reasonable level,” Sjouwerman said. “If you don’t have them in place you can be sued, or your insurance company can refuse to cover damages because you have failed to provide a reasonable level of protection.”

There’s more to preventing BEC than just having the right policies, however. You must also control what information is available to the outside world so that it can’t be used against you. This means you need to protect your employee contact information. Don’t give out the employee phone book, don’t put contact information in your website or third-party sites such as LinkedIn. For staff that need to be reached from the outside, provide a web form that can be used to provide a means of contact. And don’t post employee phone numbers in public.

And of course you still need to protect your network from being hacked, if only to prevent the bad guys from getting the information they want directly. After all, those bad guys probably love your email as much as you do, because it provides them everything they need to conduct a BEC attack.

If you find out that you’ve already been hit with a BEC attack, Mansfield said you should call your back as soon as possible. She also said that it’s important to f ile a complaint with the FBI’s internet crime folks so they can follow up, and maybe help get your money back.