Berks Barrister Winter 2018 - 36

w w w.BERKSBAR.org

BUSINESS E-MAIL COMPROMISE (BEC)
The $5 Billion Dollar Scam Targeting You
Continued from page 35
the transfer of funds. This type of BEC scam may occur at the end
of the business day or work week and be timed to coincide with
the close of business of international financial institutions.
Scenario 5: Data Theft
Fraudulent requests are sent utilizing a business executive's
compromised e-mail. The entities in the business organization
responsible for W-2s or maintaining PII, such as the human
resources department, bookkeeping, or auditing section, have
frequently been identified as the targeted recipients of the
fraudulent request for W-2 and/or PII. This data theft scenario of
the BEC scam first appeared just prior to the 2016 tax season. It
will peak again with this year's tax season.

TRENDS
Real Estate Transactions
The BEC/EAC scam targets all participants in real estate
transactions, including buyers, sellers, agents, and lawyers. The IC3
saw a 480% increase in the number of complaints filed recently
by title companies that were the primary target of a BEC/EAC
scam. The BEC/EAC perpetrators were able to monitor the real
estate proceeding and time the fraudulent request for a change in
payment type (frequently from check to wire transfer) or a change
from one account to a different account under their control.
I suggest a policy of confirming wire instructions by known
telephone numbers.

HOW TO AVOID BEC
Businesses with an increased awareness and understanding of
the BEC/EAC scam are more likely to recognize when they have
been targeted by BEC/EAC fraudsters, and are therefore more
likely to avoid falling victim and sending fraudulent payments.
Businesses that deploy robust internal prevention techniques
at all levels (especially for front line employees who may be
the recipients of initial phishing attempts) have proven highly
successful in recognizing and deflecting BEC/EAC attempts.
Some financial institutions reported holding their customer
requests for international wire transfers for an additional period of
time to verify the legitimacy of the request.
Some self-protection strategies:
36 | Berks Barrister

* Avoid free web-based e-mail accounts: Establish a company
domain name and use it to establish company e-mail accounts in
lieu of free, web-based accounts.
* Be careful what you post to social media and company
websites, especially job duties and descriptions, hierarchal
information, and out-of-office details.
* Be suspicious of requests for secrecy or pressure to take action
quickly.
* Consider additional IT and financial security procedures,
including the implementation of a two-step verification process.
For example:
o Out-of-Band Communication: Establish other
communication channels, such as telephone calls, to
verify significant transactions. Arrange this two-factor
authentication early in the relationship and outside the
e-mail environment to avoid interception by a hacker.
o Digital Signatures: Both entities on each side of a
transaction should utilize digital signatures. This will not
work with web-based e-mail accounts. Additionally, some
countries ban or limit the use of encryption.
* DO NOT open spam e-mail, click on links in the e-mail,
or open attachments. These often contain malware that may give
subjects access to your computer system.
* Avoid use of the "Reply" option to respond to any suspect
business e-mails. Instead, use the "Forward" option and either type
in the correct e-mail address or select it from the e-mail address
book to ensure the intended recipient's correct e-mail address is
used.
* Consider implementing two-factor authentication for
corporate e-mail accounts. Two-factor authentication mitigates the
threat of a subject gaining access to an employee's e-mail account
through a compromised password by requiring two pieces of
information to log in: (1) something you know (a password) and
(2) something you have (such as a dynamic PIN or code).
* Beware of sudden changes in business practices. For example,
if a current business contact suddenly asks to be contacted via their
personal e-mail address when all previous official correspondence
has been through company e-mail, the request could be fraudulent.
Always verify via other channels that you are still communicating
with your legitimate business partner.
http://www.berksbar.com/
Berks Barrister Winter 2018

Table of Contents for the Digital Edition of Berks Barrister Winter 2018
