We’ve all seen it. That urgent email hitting your inbox at 4:55pm from your boss asking us to do them one quick, simple favour. To some, it’s a modern inconvenience – an eye roll and a simple click of the delete button, but for others, it’s the kiss of death for their company’s future. This email has a name and it’s a growing concern for many businesses in Canada – it’s called Business Email Compromise and it’s crippling businesses big and small, the healthcare industry and even municipal governments.
What is Business Email Compromise?
Business Email Compromise (BEC), also known as CEO fraud, wire fraud, or business executive scam, is a sophisticated scheme that tricks a business into paying a sum of money to a fraudster. The BEC scheme is executed through the use of social engineering or computer intrusion techniques. According to the Canadian Anti-Fraud Centre (CAFC), Business Email Compromise (BEC) fraud has cost businesses worldwide, including Canadian businesses, more than $5 billion dollars. The City of Ottawa learned this the hard way after Treasurer Marian Simulik wired $100K to fraudsters in a similar sting.
How to spot BEC?
BEC fraud includes several types of sophisticated frauds targeted at businesses. According to the CAFC, several types of BEC schemes have been seen in Canada. Here’s how to spot scams targeted at your business:
The CEO Scam
How it works: spoofed emails that look like they are being sent by senior executives, such as the president, Chief Executive Officer (CEO) or the Chief Financial Officer (CFO), are sent to individuals working in the company or business. The email will attempt to trick the employee into wiring money to a third party and include language making the request sound urgent and confidential. Often it instructs the recipient not to discuss the matter with anyone else.
How it works: spoofed emails that look they are being sent by suppliers with whom your business has a well-established relationship. These fraudulent emails will request that you provide payment for an invoice by wire transfer to a fraudulent account.
How it works: criminals may also seek sensitive financial information by making legitimate-sounding requests for tax statements or other confidential information about the business that they can use to commit fraud.
What are the risks to your business?
- Significant financial loss
- Reputational damage
How to defend your business against Business Email Compromise
- Implement a two-step payments verification process that includes a non-email check (such as a phone or text) with the initiator.
- Reduce your risk. Consider investing in a Cyber Insurance policy to protect your business in the event of a security breach.
- Set up your email servers so that email from external sources that claim to be from your domain are blocked.
- Always use known contact details to follow up an email request for funds – but don’t reply directly to the initial email or use the phone numbers or other contact information included in the email.
- Set transaction limits on your business accounts that are within your risk appetite – and set different limits for different users.
- Be on alert any time there are changes to a supplier’s bank account information and take steps to verify these changes before making payments.