Watch: Business Email Compromise and Protecting Against Identity Theft

Date October 25, 2023

Highlights of the October edition of the HBK Risk Advisory Services webinar series hosted by William J. Heaven, CPA/CITP. CISA, CSCP, Senior Director, HBK Risk Advisory Services

Watch On-Demand.

Two closely related topics: business email compromise and protecting against identity theft

Business Email Compromise (BEC)

Defined as a type of email cybersecurity crime scam in which an attacker targets a business or individual with intent to defraud.

  • A large and growing problem
  • Also called an email account compromise, very accelerated because of cloud-based infrastructure
  • BEC Examples:

  • A vendor sends an invoice with altered payment details; vendors don’t usually send emails to change where to send a payment.
  • A CEO asks an assistant to purchase dozens of gift cards to send out as rewards and asks for serial numbers to expedite delivery.
  • A homebuyer receives a message from a title company with instructions on how to wire the down payment.
  • Whatever money you send, basically double your cost, because you’re paying the bad guy but still owe the real vendor.

    From the FBI:

  • In 2022: 21,832 BEC complaints were filed with reported losses of more than $2.7 billion.
  • 64% of companies worldwide have been affected by BEC hacking.
  • Total losses exceed losses from ransomware attacks.
  • Most common BEC attack vectors:

  • Spoofing an email account or website
  • Phishing/spear phishing emails
  • Malware
  • How to protect against BEC:

  • Use multi-factor authentication (MFA) wherever possible; never turn it off
  • Be careful:

  • with information you share online, including social media
  • about unsolicited, unexpected emails; be skeptical: “if it sounds too good to be true, it likely is”
  • with unrecognized URLs or emails
  • before opening downloads: could have a malicious payload
  • if you are asked to act quickly-Phone calls: don’t answer spam calls; that could validate your number.
  • If you become a victim of BEC:

  • First, contact the bank/financial institution: where you wired the money from and where you wired the money to. If you wired overseas, you might have 24 to 48 hours to have the money clawed back.
  • Report the attack to your local FBI field office, or better, the IC3 (internet crime complaint center) because FBI does not investigate “small” losses.
  • Learn from the attack so you don’t fall for the same thing in the future.
  • Identity theft

    Defined as obtaining personal or financial information of another person for the sole purpose of assuming that person’s name or identity to enter into transactions or make purchases.

    Forms of identity theft:

  • Healthcare, such as for procedures you haven’t had done
  • Tax fraud, such as filing an income tax return in your name
  • Financial, including for credit cards
  • Statistics:

  • 5.7 million cases of fraud and ID theft in 2022
  • ID theft every 22 seconds
  • Median loss to victims is $500 (growing as we become more digitally dependent)
  • How thieves obtain your identity:

  • Data breaches
  • Exposed consumer or employee records
  • Theft of personal information, such as through spoofing or phishing
  • The deep web is about 90% of internet, including company information; the dark web is about 6% of internet, home to illegal activity like buying email addresses and other personal information.
  • How to protect identity:

  • Freeze your credit.
  • Safeguard your Social Security number.
  • Shred everything.
  • Protect RFID cards (people with scanners 10 to 15 feet from you can copy your card): Purchase a “wallet” for a shield around your cards, Use a passport carrying case and Buy a jamming card to put in your wallet to block signals: inexpensive route
  • Use strong passwords and a password manager.
  • Use MFA (do business with organizations that use MFA).
  • Train yourself and staff to recognize and report phishing.
  • Keep software updated.
  • Be careful what you post on social media; don’t disclose personal data.
  • Set-up online account access and monitor it weekly.
  • Establish email/text alerts for account authorizations, account declines, statement balances, and account payments.
  • Consider an ID theft monitoring service: multiple companies. They will do:

  • Credit monitoring
  • Dark web monitoring
  • Opt you out of data brokers
  • Provide some form of insurance coverage
  • Provide some threat resolution information
  • Don’t carry your social security card.
  • Know what’s in your wallet and make copies of your credit cards, front and back.
  • If you’re ID is stolen:

  • Place a fraud alert with one of the bureaus; they will contact the others; companies must contact you before they issue credit in your name.
  • Review your credit report.
  • Contact the Federal Trade Commission (FTC).
  • Build a recovery plan: FTC site will help you build a plan.
  • FTC site has a lot of valuable information: identitytheft.gov.
  • Check your Social Security account (create an account).
  • Contact your local police; for example, an attacker might use your driver’s license data to create a new license and commit a crime.
  • As of 2018, there is no fee to freeze your credit with credit bureaus.
  • Speak to one of our professionals about your organizational needs

    "*" indicates required fields