Get the Global IP Investigations and Enforcement Perspective

Industry content delivered straight to your inbox.
Email address
Secure and Spam free...

Beware of: Business E-Mail Compromise (BEC)

The following blog post is not about IP per se, however, it does address an alarming fraud scheme that organizations, brands, and IP support professionals need to to have an understanding and awareness of:

It’s called: Business E-Mail Compromise (BEC).

ALARMING TREND

There is an alarming scam-assault on businesses taking place in the U.S. and in Western Europe in which BEC is the weapon-of-choice.

And it demands the attention of management.

RECENT NOTABLE REPORTS

In June of this year, the U.S. Justice Department completed a six-month BEC investigation that resulted in the arrest of 74 individuals all over the U.S. and several other countries including Nigeria, Canada, Mauritius, and Poland, respectively.

“BEC…is a sophisticated scam that often targets employees with access to company finances and tricks them–using a variety of methods like social engineering and computer intrusions–into making wire transfers to bank account thought to belong to trusted partners but instead belong to accounts controlled by the criminals themselves.

And this month it was reported that a UK security group discovered a list of 50,000 executives that were targeted by BEC fraudsters.

“Moreover, The BEC attack emails…typically contain no malware; the group instead sends fraudulent payment requests to finance teams. As a result, the emails are difficult to detect by the range of counter-measures firms typically employ to block harmful material.

“In our analysis…we identified the working methods of a group that has taken the basic techniques of spear-phishing – using specific knowledge about a target’s relationships to send a fraudulent email – and turned it into massive BEC campaigns.

“Each attack email requesting a money transfer is customized to appear to be an order from a senior executive of the company.”

WHAT MAKES THIS ALARMING?

What makes this particularly alarming is that computer-protection technology cannot pick up on this type of fraud since it does not include malware.

It is essentially a person-to-person phishing campaign and flies under the malware-protection radar.

WHAT MUST THE FRAUDSTER DO TO BE EFFECTIVE?

The perpetual fundamentals of Nigerian-branded fraud schemes are simple: Impersonation.

In this scheme, the fraudster convinces you or your finance person that he/she is a senior representative of your company, (CEO, CFO, COO, etc.)

The fraud relies on human complacency, not technological proficiency.

HOW DOES IT WORK?

As explained above, although technologically unsophisticated, it’s still very effective.

The basic BEC modus operandi is:

  • Target finance employees
  • Impersonate a senior organization employee who directs the transfer of funds to a designated (fraudster) bank account

FRAUDSTER CREATIVITY

It never ceases to amaze me at the creativity of Nigerian-branded frauds.

I myself have investigated multi-million dollar Nigerian-branded fraud schemes (i.e., advanced fee, romance, black ink, etc.), and the talent and creativity of Nigerian-branded fraudsters are not to be underestimated.

They are absolute experts in the criminal art of psychological persuasion and impersonation.

And having discovered this new fraudulent scheme, the fraudsters will rake-in millions-and-millions until business awareness is raised enough to have a countering effect.

PREVENTION

This trend demands 3-fundamental actions of management:

  • Train (re-train) employees in email-communications discipline
  • Develop a communications protocol that requires employees to go through a step-by-step vetting of the sender before wire transfers are made
  • Institute an internal testing process that ensures employee compliance

FINAL THOUGHT

As the FBI reminds us, “BEC schemes continue to evolve as criminals come up with new and inventive ways to scam businesses.”

Disclaimer: IPPIBlog.com is offered as a service to the professional IP community. While every effort has been made to check information in this blog, we provide no guarantees or warranties, express or implied, with regard to content provided in IPPIBlog.com. We disclaim any and all liability and responsibility for the qualification or accuracy of representations made by the contributors or for any disputes that may arise. It is the responsibility of the readers to independently investigate and verify the credentials of such person and the accuracy and validity of the information provided by them. This blog is provided for general information purposes only and is not intended to provide legal or other professional advice.

Did you find this post useful?
I agree to have my personal information transfered to MailChimp ( more information )
Join other IP protection professionals, i.e., investigators, attorneys, and brand protection specialists and receive updates straight to your inbox.
We hate spam. Your email address will not be sold or shared with anyone else.

Ron Alvarez is an IP Investigations / Protection writer and licensed private investigator in New York City. He is a former NYPD lieutenant where he investigated robbery, narcotics, internal affairs, and fine art theft cases. Ron is a graduate of the FBI National Academy and earned a B.A. in Government and Public Administration from John Jay College of Criminal Justice in Manhattan. He has published a number of articles on various investigative topics for PI Magazine. Ron is certified by the Interpol-International IP Crime Investigators College (IIPCIC.) as a "Transnational and Organized Crime Intellectual Property (IP) Investigator."

0 comments on “Beware of: Business E-Mail Compromise (BEC)

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Get the Global IP Investigations and Enforcement Perspective

Industry content delivered straight to your inbox.
Email address
Secure and Spam free...
%d bloggers like this: