Phone Hacking

BEC Attacks Are on the Rise. Here’s What You Can Do.

In April 2019, Saint Ambrose Catholic Parish near Cleveland was scammed out of $1.75 million in a Business Email Compromise (BEC) attack. According to the investigation by the FBI and the Brunswick, Ohio police, the hackers accessed the church’s email system and tricked the administrative staff into altering the banking information for the construction firm doing a major renovation at the parish. The parish made the $1.75 million payment to the hacker’s bank account, discovering the fraud only when the construction company called to inquire about the late payment for services.

Business Email Compromise (BEC) attacks target commercial, government and non-profit organizations as well as individuals. According to the 2020 Verizon Data Breach Investigations report, BEC frequency increased nearly 225 percent in the past year. Median losses were $1,240 for individuals and $44,000 for organizations.

If you learn that you or your company has been the victim of a BEC attack, you should immediately do the following:

  1. Contact the bank where the funds were drawn.
  2. Ask your bank to contact the corresponding bank where the fraudulent transfer was sent.
  3. Contact your local FBI office as well as the U.S. Secret Service.
  4. File a complaint, regardless of the dollar loss, with the Internet Crime Complaint Center (www.IC3.gov). Note that it was a BEC attack.
  5. Inform your cybersecurity liability insurer.

The best approach for preventing BEC attacks is to implement a security awareness and training program that includes test phishing emails and design preventative controls into your payment process.

HBK Risk Advisory Services can help implement a cybersecurity awareness training featuring phishing simulations, IT security policy development and payment controls assessments to evaluate the security of your payment processes. As always, we’re happy to answer your questions and discuss your concerns.

Note: For more information on BEC attacks, listen to the HBK Risk Advisory Services BEC webinar at: https://hbkcpa.com/ras-bec-attacks/

About the Author(s)
Bill is a Senior Manager in HBK’s IT Department and works out of the firm’s corporate office in Youngstown, Ohio. He specializes in cyber security, IT security, external IT audit, internal IT audit, IT consulting, software Development, IT governance, PCI-DSS, supply chain, system implementations and e-Commerce and has worked for a wide range of industries, including the Public Accounting field. Bill is a certified public accountant, a certified information system auditor, and a certified supply chain professional.
Hill, Barth & King LLC has prepared this material for informational purposes only. Any tax advice contained in this communication (including any attachments) is not intended or written to be used, and cannot be used, for the purpose of (i) avoiding penalties under the Internal Revenue Code or under any state or local tax law or (ii) promoting, marketing or recommending to another party any transaction or matter addressed herein. Please do not hesitate to contact us if you have any questions regarding the matter.

RECOMMENDED ARTICLES