We have previously written about “phishing.” Phishing involves using social pressure to trick the recipient to send sensitive information, network control, or credentials, to hackers posing as authorized users.
A new insidious variant is the Business Email Compromise (BEC). A BEC involves a hacker taking control of a vendor’s email. Using access, the hacker sends apparently bonafide invoices to regular customers. The hacker requests a modification of the previous payment method. The modification is usually low key. It may request that payment be sent from one prominent American bank to another prominent American bank. The hackers control the second account. Payments credited there are swiftly spirited out of the country.
Any organization can be a BEC victim. In October, the Wisconsin Republican Party reported that it had been victimized by a BEC. The party determined that hackers had stolen $2.3 million in campaign funds intended for use in the fall campaign. The hackers had submitted invoices that apparently originated from four vendors. The invoices directed payments to hacker controlled funds.
While less known than other crimes such as ransomware or phishing, BEC is big business. Accumulated losses reportedly amount to billions every year. Detection is difficult because often nothing appears amiss. And compared to raw hacking, it is a clear, profitable approach for hackers.
Law enforcement, organizations, and insurers are just beginning to grapple with BEC. Until new protocols are developed, the safest approach is the old fashioned one. If a vendor requests a change in the mode of payment, train accounts payable to pick up the phone. Verify the request with a known counterpart.
Finally, check with you insurance broker. Your business insurance can often add crime or cyber coverage for a small additional premium. Seriously consider the option. With BEC, an ounce of prevention is worth a pound of cure.
Saad Gul and Mike Slipsky are partners with Poyner Spruill LLP. They advise clients on a wide range of privacy, and cybersecurity issues, including HIPAA, GDPR, FERPA, CCPA, and other privacy regimes. Saad (@NC_Cyberlaw) may be reached at 919.783.1170 or firstname.lastname@example.org. Mike may be reached at 919.783.2851 or email@example.com.