Site icon IT World Canada

Fraud Prevention Month: Fight business email fraud

Image by GOCMEN | Getty Images

Fraud Prevention Month starts today, which reminds me of three business-related online frauds I’ve written about. Let’s take a look at them and discuss some of the similarities they share:

Security and law enforcement researchers call these and other incidents like them “business executive compromise” or “business email scams” (BEC). They have two things in common: Staff who trust email communications, and the poor business processes for dealing with financial transfers.

During Fraud Prevention Month ITWorldCanada.com will have a number of stories advising CISOs and CEOs about reducing the odds of being caught by online-enabled fraud.

 

Related:

How to reduce the odds of BEC fraud [Full story]

More ways to reduce the odds of BEC fraud [Full story]

 

Measuring fraud activity in Canada isn’t easy — and even harder to quantify the amount of digitally-related fraud — because it relies on victim reporting. The Canadian Anti-Fraud Centre estimates only five per cent of fraud is reported to the police.

Last year, the centre received 101,483 fraud reports involving nearly $160 million in reported losses. Many are consumer-related (investment, extortion, romance and job scams), while others are more business-related (extortion, impersonation, BEC, and merchandise scams, for example). BEC-related frauds come under spear-phishing, which accounted for $14.4 million in reported losses.

Jeff Thomson of the Canadian Anti-Fraud Centre noted scams not only involve messages that appear to come from executives but also fake messages from suppliers and partners, from head office to franchise owners and even from supposed employees asking for changes to banks for their direct salary deposits.

With the advent of COVID, businesses and individuals have been fooled into buying poor or undelivered personal protective equipment, for example. Some are falling for fake COVID vaccines. Because some businesses (airlines, restaurants and border officials) are asking for evidence of vaccination, criminals are increasingly offering phony proof of vaccination documents.

“This year has seen a significant increase in fraudulent activity because many organizations either moved significant portions of their business online [because of COVID], and staff had to work from home,” noted Robert Fazon, head of engineering in Canada for Check Point Software, which reported on the Chinese-Israeli fraud incident. “So there’s been a huge expansion of the area of control necessary for managing security for these organizations. That has created significant risks and challenges.”

In some cases, it has increased unauthorized access.

“Access is the source for most fraud, or things that enable fraud, that we’re seeing,” he said. “Those who are in positions of authority are finding themselves vulnerable because they are opening links and providing access to hackers, who are using it to do things like commit financial fraud or steal intellectual capital and interfere with law enforcement.”

Thomson of the Canadian Anti-Fraud Centre says the key to foiling BEC schemes is security awareness training so employees recognize signs of potentially-fraudulent emails. These signs include changes in expected sender’s addresses (johnsmith@isp.com becomes johnsmith@isp.net, for example, or johnssmith@isp.com); messages arriving late on Fridays asking for money to be transferred; requests for changes to where funds should be sent; and messages saying the transfer is urgent.

The common targets

Deloitte notes that BEC schemes often target mid-level personnel who seldom communicate with the executives, attorneys, or vendors purportedly behind a transaction request. Attackers rely on employees who don’t want to approach managers to authenticate a transaction.

Another effective anti-BEC approach is to use encryption to authenticate emails between an approved source, making it difficult for a third party to interfere. Experts says administrators should also turn on features that identify internal emails by colour. That way an email from an external source, such as a threat actor, will immediately be labelled suspicious if it’s supposed to be from an executive.

Business process policies for handling money also have to be toughened. Email approvals aren’t good enough these days. Staff should also be warned not to trust instructions left by voicemail. If staff need to phone someone to verify a message, use a known phone number previously agreed to by policy, not one in an email. Using multifactor authentication to protect access to sensitive accounts is also important.

In a guide on fighting BEC fraud Proofpoint says staff should be told the following:

 

Exit mobile version