The BBC reports that a media company based in Scotland is now suing a former employee who fell for a Business Email Compromise (BEC) scam. In the scam, the employee received emails which appeared to be from the managing director and requested wire transfers. The employee worked with her line manager on the first payment and then made 3 subsequent payments while her direct manager was on vacation. In total, £193,250 was transferred to the scammers. The company recovered £85,000 from their bank and is suing the employee, who was already fired over the incident, for the remaining balance of £108,000 because she ignored a standard checkbox security warning from the bank about wire transfer scams.
It’s time to stop blaming the victims of email scams and instead put in place user training, security controls, and process controls to prevent Business Email Compromise scams from occurring.
Train your employees – for free
The employee in this case claims she never received training from the company on how to stop online fraud. Like many employees, when an email request appears to come from an executive, the recipient is often so focused on appearing responsive, that they do not realize the email is an impersonation. It’s important to make sure your employees are aware of these attacks and can look for signs that the email is a fraud. Train them not to respond, act open, open an attachment, or click on a link when an email is suspicious or unexpected.
Free phishing simulation and user training is available with Trend Micro Phish Insight. With it you can send test phishing emails to your users, reward / recognize employees who identify the emails as suspicious, and offer training to those who need it most. Phish Insight is free for all organizations.
Prevent BEC scams with Email Security
BEC emails typically don’t have a malicious attachment or malicious URLs and rely solely on social engineering This makes detection difficult without security controls specifically designed to catch these attacks. Cloud App Security for Office 365 uses two AI methods to detect BEC scams. First an expert rule system looks for social engineering and attacker behaviors. Amongst the rules is one that looks for matches of the names of high-profile users to the sender’s display name when the email comes from a free email account domain. A machine learning model decides how best to weigh and apply all the rules for the most accurate detection.
Writing Style DNA is employed to spot the hardest to detect impersonation attempts. Writing Style DNA creates an AI model of the writing style of high-profile users such as executives. The model is created by extracting metadata from previously sent emails. When an email arrives with a name matching or similar to a high-profile user, and it hasn’t already been ruled out by the expert rule system, then the style of the writing within the email is compared to the AI model for that high-profile user. You can see how it works in this short video.
In addition to user training and security controls, your organization should also examine its wire transfer procedures and ensure two approvals are required. The FBI provides guidelines for additional steps to harden your organization against these attacks.
Together with user training, security controls, and process controls, we can stop the $12 billion in losses to Business Email Compromise scams.