Bermuda Real

441-591-3480
info@bermudareal.com

  • Home
  • News
  • Community
  • Environment
  • Health
  • Sports
  • Foodies
  • Entertainment
  • Opinion
  • About us

Police: Online Fraud Advisory: Business E-mail Compromise (BEC) Scam

News   |   April 12, 2018

The Bermuda Police Service (BPS) wishes to advise the Bermuda business community in regards to an emerging cyber threat named ‘Business Email Compromise’ (BEC), also called ‘CEO fraud’, which has so far resulted in the loss or attempted loss of significant sums from local businesses.

Organised Crime Groups make use of publicly available contact information to collect email data of company executives and accounts department employees. An email impersonating the executive is sent to the accounts department employee, which requests an urgent overseas payment to be made. An example of a spoofed email is attached. The below example relates to a generic email taken from the internet.

In 2016, the FBI issued a press release confirming this type of fraud had seen a 1300% increase, with a combined loss of over $3 billion (https://www.ic3.gov/media/2016/160614.aspx).  

 The FBI note the characteristics of Business Email Compromise include:
  • Businesses and associated personnel using open source e-mail accounts are predominantly targeted.
  • Individuals responsible for handling wire transfers within a specific business are targeted.
  • Spoofed e-mails very closely mimic a legitimate e-mail request.
  • Hacked e-mails often occur with a personal e-mail account.
  • Fraudulent e-mail requests for a wire transfer are well-worded, specific to the business being victimized, and do not raise suspicions to the legitimacy of the request.
  • The phrases “code to admin expenses” or “urgent wire transfer” were reported by victims in some of the fraudulent e-mail requests.
  • The amount of the fraudulent wire transfer request is business-specific; therefore, dollar amounts requested are similar to normal business transaction amounts so as not to raise doubt.
  • Fraudulent e-mails received have coincided with business travel dates for executives whose e-mails were spoofed.
  • Victims report that IP addresses frequently trace back to free domain registrars. 

Detective Superintendent Sean Field-Lament of the BPS Crime Division states – “I wish to raise awareness of the Bermuda business community in regards to an emerging cyber threat named ‘Business Email Compromise’ (BEC), also called ‘CEO fraud’. The Organized and Economic Crime Department has received three reports in the last 10 days from local businesses regarding significant cyber-enabled fraud incidents. Two frauds resulted in the loss of $1.3M and $4M in separate incidents, and the third attempt at a different business was discovered before funds were actually transferred. The BPS would encourage all companies to review their business processes to guard against this type of cyber-crime.” 

Prevention and awareness are the key suggestions for protection and best practice:

  • Businesses with an increased awareness and understanding of the BEC scam are more likely to recognize when they have been targeted by BEC fraudsters, and are therefore more likely to avoid falling victim and sending fraudulent payments.
  • Businesses that deploy robust internal prevention techniques at all levels (especially targeting front line employees who may be the recipients of initial phishing attempts), have proven highly successful in recognizing and deflecting BEC attempts.
  • Some financial institutions reported holding their customer requests for international wire transfers for an additional period of time, to verify the legitimacy of the request.  

Further to the above, the FBI has compiled a list of self-protection strategies:

  • Avoid free web-based e-mail accounts: Establish a company domain name and use it to establish company e-mail accounts in lieu of free, web-based accounts.
  • Be careful what is posted to social media and company websites, especially job duties/descriptions, hierarchal information, and out of office details.
  • Be suspicious of requests for secrecy or pressure to take action quickly.
  • Consider additional IT and financial security procedures, including the implementation of a 2-step verification process.

 For example –

  •  Out of Band Communication: Establish other communication channels, such as telephone calls, to verify significant transactions. Arrange this second-factor authentication early in the relationship and outside the e-mail environment to avoid interception by a hacker.
  • Digital Signatures: Both entities on each side of a transaction should utilize digital signatures. This will not work with web-based e-mail accounts. Additionally, some countries ban or limit the use of encryption.
  • Delete Spam: Immediately report and delete unsolicited e-mail (spam) from unknown parties. DO NOT open spam e-mail, click on links in the e-mail, or open attachments. These often contain malware that will give subjects access to your computer system.
  • Forward vs. Reply: Do not use the “Reply” option to respond to any business e-mails. Instead, use the “Forward” option and either type in the correct e-mail address or select it from the e-mail address book to ensure the intended recipient’s correct e-mail address is used.
  • Consider implementing Two Factor Authentication (TFA) for corporate e-mail accounts. TFA mitigates the threat of a subject gaining access to an employee’s e-mail account through a compromised password by requiring two pieces of information to login: something you know (a password) and something you have (such as a dynamic PIN or code).
  • Significant Changes: Beware of sudden changes in business practices. For example, if a current business contact suddenly asks to be contacted via their personal e-mail address when all previous official correspondence has been through company e-mail, the request could be fraudulent. Always verify via other channels that you are still communicating with your legitimate business partner.
  • Create intrusion detection system rules that flag e-mails with extensions that are similar to company e-mail. For example, legitimate e-mail of abc_company.com would flag fraudulent e-mail of abc-company.com.
  • Register all company domains that are slightly different than the actual company domain.
  • Verify changes in vendor payment location by adding additional two-factor authentication such as having a secondary sign-off by company personnel.
  • Confirm requests for transfers of funds. When using phone verification as part of the two-factor authentication, use previously known numbers, not the numbers provided in the e-mail request.
  • Know the habits of your customers, including the details of, reasons behind, and amount of payments.
  • Carefully scrutinize all e-mail requests for transfers of funds to determine if the requests are out of the ordinary.

 Additional information is publicly available on the United States Department of Justice website at https://www.justice.gov/criminal-ccips/ccips-documents-and-reports under the ‘Topical White Papers’ publication entitled “Best Practices for Victim Response and Reporting of Cyber Incidents

Share this:

  • Tweet
  • WhatsApp
  • Print
  • Email

Related Articles

Blu Restaurant Issues Public Apology

Blu Restaurant Issues Public Apology

Police on Scam Alert: Menacing Email Attempts to Extort Money

Police on Scam Alert: Menacing Email Attempts to Extort Money

Police & Protesters Clash In Violent Weekend Across The US

Police & Protesters Clash In Violent Weekend Across The US

Woman Coughs on $35K of Goods at Pennsylvania Grocery Store in ‘Very Twisted Prank’

Woman Coughs on $35K of Goods at Pennsylvania Grocery Store in ‘Very Twisted Prank’

Peter Tosh’s Beaten Son Dies

Peter Tosh’s Beaten Son Dies

Police: Man’s Body Found in Sandys

Police: Man’s Body Found in Sandys

SCU: Investigates High Speed Chase that Led to Lowe Fatality

SCU: Investigates High Speed Chase that Led to Lowe Fatality

Man Barricades Himself in Building & Hurls ‘Unknown Corrosive Substance’ at Police

Man Barricades Himself in Building & Hurls ‘Unknown Corrosive Substance’ at Police

Post-Brexit Working Group to be Formed to Address Ramifications of UK Leaving the EU

Post-Brexit Working Group to be Formed to Address Ramifications of UK Leaving the EU

Popular News

COVID-19 Vaccine Passports Could Create ‘Two-Tier Society’, Equality Watchdog Warns

COVID-19 Vaccine Passports Could Create ‘Two-Tier Society’, Equality Watchdog Warns

News    |    April 15, 2021

The Queen Is Seen For The First Time Since Prince Philip’s Funeral As She Takes Wheel Of Jaguar

The Queen Is Seen For The First Time Since Prince Philip’s Funeral As She Takes Wheel Of Jaguar

News    |    April 18, 2021

Two Women Busted For Trying To Use A Fake $1Million Bill — At A Dollar General Store

Two Women Busted For Trying To Use A Fake $1Million Bill — At A Dollar General Store

News    |    April 15, 2021

Breonna Taylor’s Mother Slams BLM & Calls Them A ‘Fraud’: ‘They’ve Never Done A Damn Thing For Us’

Breonna Taylor’s Mother Slams BLM & Calls Them A ‘Fraud’: ‘They’ve Never Done A Damn Thing For Us’

News    |    April 17, 2021

Pembroke Man Fined $2,000 & Given Time To Pay For Breaching Curfew

Pembroke Man Fined $2,000 & Given Time To Pay For Breaching Curfew

News    |    April 17, 2021

Archives

  • April 2021
  • March 2021
  • February 2021
  • January 2021
  • December 2020
  • November 2020
  • October 2020
  • September 2020
  • August 2020
  • July 2020
  • Home
  • News
  • Community
  • Environment
  • Health
  • Sports
  • Foodies
  • Entertainment
  • Opinion
  • About us

© 2021 Bermuda Real. All rights reserved.

loading Cancel
Post was not sent - check your email addresses!
Email check failed, please try again
Sorry, your blog cannot share posts by email.