Safeguarding Your Business from Phishing Scams

In today’s digital landscape, safeguarding your business from phishing scams is paramount. You may have heard the age-old advice, “Never open an email from an unknown sender.” However, assuming that your employees are well-versed in identifying phishing attempts and will steer clear of suspicious links and attachments is not always a safe bet.

Imagine a scenario where your employees receive an email that appears to be from your trusted financial adviser, a reliable vendor, or even from you. This is where Business Email Compromise (BEC) rears its head, a tactic that cybercriminals increasingly employ to extract money and sensitive information from companies.

These scammers target businesses that conduct wire transfers and those that rely on foreign suppliers, third-party vendors, or customers. By impersonating these established, trustworthy business relationships, BEC becomes nearly undetectable and a formidable challenge to manage after the fact.

Recent cybercrime statistics paint a concerning picture. Spear-phishing, which includes BEC, remains one of the most reported scams, accounting for a significant portion of the roughly 40 types of fraud recorded by the Canadian Anti-Fraud Centre (CAFC). In 2020, CAFC received reports of nearly $30 million in losses due to this scam, and astonishingly, over $26 million in losses were reported in the first half of 2021 alone.

Four Types of Business Email Scams

The complexity of detecting BEC lies in how scammers exploit existing professional relationships to gain access to a business’s finances and sensitive data. These criminals employ four distinct methods of perpetrating BEC scams:

Method #1: Business Executive Scam

• The CEO’s email is impersonated or hacked
• The imposter contacts the finance department to request a wire transfer.
• The finance department authorizes the wire transfer.
• The request email often emphasizes the need for quick and discreet action.
• Funds are deposited into the fraudster’s account.
• The fake wire transfer is sent to the criminal’s sham bank account.

Method #2: Bogus Invoice Scam

• An employee’s email is hacked or impersonated.
• The imposter uses the compromised account to email the company’s vendors and customers, requesting fraudulent invoices.
• Customers and vendors unknowingly pay these false invoices.
• Request emails typically contain new or altered invoice details.
• Funds are deposited into the scammer’s account.
• The fake wire transfer ends up in the criminal’s counterfeit bank account.

Method #3: Supplier Swindle Scam

• This method targets foreign suppliers or overseas vendors, aiming to authorize wire transfers to a fabricated account.
• Criminals hack into a supplier’s email account and request a wire transfer to a “new” account, citing a change in the supplier’s overseas location.

Method #4: Personal Data Scam

• The Human Resources email is hacked or impersonated.
• The imposter uses the compromised account to request personal information.
• Employees may send sensitive documents or complete fake online forms.
• Request emails often claim that information is missing, lost, or needs updating.
• Fraudsters obtain personal information, which can be used for identity theft or sold on the black market.

The fourth method focuses on targeting employees’ and stealing their personal information, unlike the first three. To mitigate the risk of falling victim to these scams, consider the following protective measures:

Tips to Protect Your Business

• Develop and implement a company-wide security awareness program, making it a collective responsibility to protect company information.
• Avoid relying solely on email for fund transfers; confirm such requests via phone verification or face-to-face meetings using known phone numbers for authentication.
• Scrutinize all email requests related to fund transfers, paying attention to slight variations in email addresses that seem out of the ordinary.
• Strengthen your network security, especially for mobile devices, which are common targets for cyber threats such as spyware, unsecured Wi-Fi connections, and fake networks. Employees often use personal mobile devices for business email and other work tasks, making them vulnerable to cybercriminals seeking access to your network.

For further insights on enhancing your business’s security, feel free to contact your commercial insurance broker or visit our website at Alpine Insurance. Protect your business and stay one step ahead of phishing scams.