Police warn public of business email compromise attacks
The Kingston Police Fraud Unit urges local businesses to be aware of a type of scam that is increasingly targeting the business world: Business Email Compromise (BEC) attacks.
According to a Kingston Police statement, BEC attacks involve an individual in a business clicking a harmless link in an email that allows malware to be deposited into their system. The malware then scans emails for sent or received invoices, sends an email that appears to be from the contractor or company advising that the company has changed their payment information, and requests payment to a new account number or a new electronic transfer address.
“BEC is the use of a forged email address or compromised email account to convince an individual or business to send funds from their account to an account owned or controlled by cybercriminals,” said Ash Gutheinz, Media Relations Officer – CORE Unit for Kingston Police. . “Cyber criminals who commit CLBs are essentially social engineers who take advantage of a person’s nature to respond quickly to urgent requests. They also take advantage of most employees’ lack of basic email security knowledge (i.e. recognizing a phishing attempt), how to assess the header of an email. suspicious electronics or how to identify domain spoofing.
Typically, the criminal targets a business using a phishing attack, according to police. The company employee receives a seemingly innocuous email asking the recipient to click on a link. Once the link is clicked, the malware is surreptitiously downloaded to the user’s computer or device, giving the culprit access to their email account.
According to the statement, the criminal then searches for emails containing invoices sent or received from other companies. The criminal then sends an email to the subcontractor, either from the actual email account that was compromised; or from an email address created by the criminal that appears almost identical in appearance to the legitimate email account. Typically, they’ll register an email domain that’s the same as the spoofed one, except it’s character disabled and not easy to notice, police said.
The company that hired the subcontractor is then notified by the culprit – posing as the subcontractor – that his company has changed its payment information; and a new account number is provided to send an electronic funds transfer to; or a new email address is provided to send an wire transfer, according to the release.
In cases investigated by Kingston Police, losses are typically in the range of $ 10,000 to $ 70,000. Police said that in the United States, BEC has become the costliest type of cybercrime, causing billions of dollars in economic losses.
From the cases seen so far, once the money is sent to the recipient account, it is withdrawn and transferred in ways that are difficult or impossible to track, such as via Bitcoin or other cryptocurrencies, according to the press release.
The police urge companies to make their employees aware of this type of crime, in particular their accounting departments, which are the usual targets of this scam. Employees should be informed of the following:
- Phishing attempts. Do not click on any links you are not sure about.
- Any email communication advising of a change in the payment process (i.e. a new account to which the money is to be sent) should automatically trigger steps to authenticate the request, including calling the other company to confirm changes in person; and careful consideration of the email address that sent the request to change payment information.
- Any request to send wire transfers to email addresses that are not legitimate business email domains should be viewed as a red flag in the event of fraud.
Training employees to be aware of these types of scams and the appropriate actions to take is critical to avoiding significant losses, police said.
According to the statement, good cybersecurity practices must be strictly observed, including strong passwords; regular reset of passwords; two or more step authentication process; and awareness of phishing attempts.