There has been a lot in the press about ransomware this year. Crypto-ransomware attacks are becoming more targeted and sophisticated, resulting in bigger extortion amounts and other financial losses to the victims.
But last year’s most frequent and expensive cyber-crime is still email account compromise, or what the FBI calls Business Email Compromise (BEC) is still with us. The attackers using this exploit have also become more sophisticated.
A recent example is the $742,377 invoice that was sent to the city of Ocala Florida from a compromised email account of an actual building contractor that was working with the city on an airport project. Since it arrived from the actual email account of the contractor, the invoice was paid. But the payment was sent to a bank account controlled by the cyber-criminals.
In August 2019, a county in North Carolina paid $17 million to fraudsters who used the hijacked email account of a legitimate contractor working on a school.
This year the Portland Public Schools system narrowly avoided a similar scam that would have cost them $2.9 million.
- Inform or train your employees, especially those in finance, accounts payable, and similar departments about this sort of scam. Informed employees are more likely to question these sorts of phishing emails.
- Do not use emails alone for approving payment. Use the phone or another non-email communication channel to confirm the amount and verify that the email was actually sent by the company.
- Be especially dubious of emails from vendors with new bank account or payment instructions. These absolutely need to be confirmed before sending any payments. Again, a quick phone call can save you thousands and even millions of dollars.
- If it seems weird, it is weird. Often our internal radar or early warning system will tell us that a certain request is odd. Listen to that inner voice. It is always better to check and verify. Better to be safe than sorry.
- If you are a victim report the crime. First warning the compromised vendor about the problem, get your own IT staff involved to check if your company has also been compromised. Victims can also file a complaint with the IC3. I have done that myself for a client or two.
Just because ransomware is the hot problem this year, don’t take your eye off the BEC problem. Either exploit could end up costing your company thousands or millions of dollars.
- The Role of the IC3 in Cybercrime Prosecution
- I Filed a Report with the Internet Crime Complaint Center
- The FBI Releases the IC3 2017 Internet Crime Report