Can Your Business Identify Fraud?

Imagine one of your vendors calling to ask when they might receive payment for the last three months of service. Confused, you check your records and sure enough, you show each month’s payment was made on time. Perhaps you wonder if this might have something to do with the vendor's change in banking that coincided with your missed payments beginning. However, your vendor confirms all payments should still be coming to the original routing number. So where have your payments gone?

Over the past several years, the business world has increasingly felt the effects of one of the fastest growing cybercrime trends: Business Email Compromise (BEC). This type of cyberattack occurs when a hacker pretends to be a trusted source and is able to convince a target employee to provide either funds or sensitive information. This form of impersonation, known as a social engineering scam, is one of the most profitable types of cyberattacks, resulting in the loss of billions of dollars each year globally.  According to the FBI’s Internet Crime Complaint Center, businesses that work with foreign suppliers, businesses that regularly transfer money wirelessly, and businesses that use public cloud email services are especially vulnerable to BEC attacks.

BEC attacks aren’t poorly spelled emails and texts full of grammatical errors and addressed to “Dear Customer”, warning us that our account has been suspended or shut down. These newly sophisticated phishing scams are composed on official letterhead, usually from a trusted contact and using email addresses that look remarkably legitimate. These well constructed emails asks the target to perform actions that occur normally through the course of business. The three most common types of BEC, as defined by Techopedia, include:

• Change order fraud - the attacker asks the victim to “update” a legitimate business partner’s banking information with routing numbers supplied by the attacker. This type of attack is often used to redirect legitimate payments to an account under the attacker’s control, but change order fraud can also be used to redirect expensive purchases – such as new computers -- to a location of the attacker’s choice.
• C-Level fraud – the attacker poses as one of the company’s C-level executives and tricks an employee who is authorized to transfer funds into wiring money to an account under the attacker’s control.
• Permission fraud – the attacker targets a manager who has access to employee personally identifiable information (PII) and steals permissions to conduct future attacks.

As scammers become more sophisticated, businesses must be proactive, training employees and putting policies into place to protect sensitive information and financial assets. While the FBI has recommended practical steps to lower your risk of exposure, human error means at some point, things are going to go wrong. When someone falls for the newest scam, companies can minimize the damage by having a second level of security in place, ready to automatically detect and stop the malicious attack. SEIM (security incident and event management) systems can help protect data, using UEBA (user and entity behavior and analytics) to block the social engineering threat as it occurs. Email security technology can also help identify and weed out fraudulent impostures. Technology alone, however, cannot protect your business. You need cybersecurity experts (yes people) to tune and manage your technology, respond to active threats quickly and provide ongoing training of your employees to maximize your cybersecurity posture. 

The cybersecurity industry is constantly working to develop tools that integrate multiple security solutions into a consolidated program. Nuspective has the ability to analyze the specific security needs of your company and a wide range of options to make sure you reach those goals quickly and affordably.