In April 2019, Saint Ambrose Catholic Parish near Cleveland was scammed out of $1.75 million in a Business Email Compromise (BEC) attack. According to the investigation by the FBI and the Brunswick, Ohio police, the hackers accessed the church’s email system and tricked the administrative staff into altering the banking information for the construction firm doing a major renovation at the parish. The parish made the $1.75 million payment to the hacker’s bank account, discovering the fraud only when the construction company called to inquire about the late payment for services.
Business Email Compromise (BEC) attacks target commercial, government and non-profit organizations as well as individuals. According to the 2020 Verizon Data Breach Investigations report, BEC frequency increased nearly 225 percent in the past year. Median losses were $1,240 for individuals and $44,000 for organizations.
If you learn that you or your company has been the victim of a BEC attack, you should immediately do the following:
- Contact the bank where the funds were drawn.
- Ask your bank to contact the corresponding bank where the fraudulent transfer was sent.
- Contact your local FBI office as well as the U.S. Secret Service.
- File a complaint, regardless of the dollar loss, with the Internet Crime Complaint Center (www.IC3.gov). Note that it was a BEC attack.
- Inform your cybersecurity liability insurer.
The best approach for preventing BEC attacks is to implement a security awareness and training program that includes test phishing emails and design preventative controls into your payment process.
HBK Risk Advisory Services can help implement a cybersecurity awareness training featuring phishing simulations, IT security policy development and payment controls assessments to evaluate the security of your payment processes. As always, we’re happy to answer your questions and discuss your concerns.
Note: For more information on BEC attacks, listen to the HBK Risk Advisory Services BEC webinar at: http://hbkcpa.com/ras-bec-attacks/