How organizations and employees can protect themselves against financial email scams

Scammers and cybercriminals have a variety of tricks up their sleeves to try to obtain financial or personal information from their victims. One scam targeted at organizations is the Business Email Compromise (BEC). Also known as Email Account Compromise (EAC), CEO fraud, or whaling, this type of scam sends a fraudulent email to someone in an attempt to convince that person to share or reveal financial or personal information. A study released Tuesday by Symantec highlights the latest trends on this type of scam and offers advice on how organizations and employees and protect themselves from it.

A BEC scam can take a few different forms. The fraudulent email might tempt its victim with a request to buy physical or electronic gift cards. The email could masquerade as a legitimate business message with a request to update your salary or direct deposit account details. It could also ask for your personal or work phone number to provide further instructions.

In 2018, the FBI's Internet Crime Complaint Center (IC3) received 20,373 BEC-related complaints, up from 15,690 complaints in 2017. Losses from BEC scams hit more than $1.2 billion in 2018, double the $676 million recorded in 2017. Since 2014, the number of victims and the amount of losses have steadily risen, according to the FBI's statistics. On the positive side, the IC3's Recovery Asset Team (RAT), which was formed in February 2018, has successfully recovered more than $192 million lost to BEC scams, according to Symantec.

SEE: Phishing and spearphishing: An IT pro's guide (free PDF) (TechRepublic)

On average, 6,029 organizations were targeted by BEC emails each month during the 12 months from July 2018 through June 2019, Symantec's report said. The scams could have affected all of those businesses had the emails not been stopped by spam blockers. On average, organizations received five BEC scam emails each month during the past 12 months. The top countries targeted by BEC scammers were the US, the UK, Australia, Belgium, and Germany.

How can BEC emails be identified? One clue lies in the subject line of the email. BEC scams aimed at businesses in the UK and the U.S. mostly had subject lines with the word "IMPORTANT." Most BEC scams targeted at Australia, Spain, France, and Germany had payment-related subject lines such as "PAYMENT," "NOTIFICATION OF PAYMENT RECEIVED," and "PAYMENT DUE 8 DEC."

BEC emails also use common keywords in the body of the message. Almost all of the keywords discovered by Symantec are designed to draw your attention or suggest a sense of urgency related to something financial. Some keyword examples are: "Transaction request," "Important," "Urgent," "Payment," "Outstanding payment," and "Notification of payment received."

Over the past 12 months, BEC scammers have typically used or spoofed popular free web mail services from which to send their fraudulent messages. Gmail, AOL, Yahoo! Mail, and Hotmail are among the top 10 email domains used and abused by these scammers.

Symantec also reported on the 10 most popular themes used by BEC emails in the last 12 months. These include:

BEC scams have often hacked or spoofed the email accounts of a business's CEO or CFO, sending fraudulent emails to the finance department in an attempt to trick employees into making wire transfer payments. But as scammers adopt artificial intelligence (AI) and machine learning (ML), these types of fradulent emails could become even more convincing, according to Symantec.

As one example, a scammer using AI or ML could target a senior financial executive or employee with access to the CEO and the ability to authorize money transfers. To verify the request for money, the scammer could use audio of the CEO during a phone call to convince the employee that the CEO is actually on the line ordering the transfer.

To guard against BEC scams, Symantec advises organizations to adopt the following best practices:

For more on the risks of phishing and business email compromise, check out "Lateral phishing: Hackers are taking over business accounts to send malicious emails" and "More than 3B fake emails sent daily as phishing attacks persist" on TechRepublic.

Also see