criminals posing as a vendor with whom the targeted business has a longstanding business relationship. The attacker will send the company what appears to be a genuine invoice with a message that the vendor has changed banks, including instructions to wire payment to the new account. Processing what appears to be a genuine invoice, the accounts payable person has no reason to suspect that he is an unwitting victim of a BEC crime. It is not until the vendor contacts the company inquiring about the lack of any payment that the fraud is discovered. A member of Western Growers was recently
located or recovered after several months of investigation.
better yet, walk down the hall, and ask the requestor to confirm the request. • Leverage technology. Intrusion detection system rules can be put in place to flag emails that have extensions that try to replicate the appearance of the company’s email. Also, email rules can be created that flag emails where the “reply” email address is different from the “from” email shown to the recipient. Two-factor authentication (2FA) is a tool that can be used to protect email and can be used for payment verification. With 2FA, in addition to entering a password when logging in, the user is given a one-time code from a software or hardware token. • Cyber Insurance. Consider purchasing a cyber insurance policy that can reimburse the company in the event of a cyber attack, including a BEC scam. The cyber insurance market is evolving rapidly, and policies vary greatly, so work with your insurance broker to understand the terms
What Companies Should Do Now In light of the growing BEC threat,
management has to be more vigilant than ever to safeguard the company’s finances and privacy. Cyber security experts recommend a number of steps companies should have in place to protect themselves from BEC attacks. • Don’t trust. Verify. The best way to avoid being exploited is to verify the authenticity of requests to send money. Walk into the executive’s office, speak to him or her on the phone. Don’t rely on email communication or the contact information included in the email. Limit telephone conversations to company directory phone numbers. • It’s a scam until proven otherwise. Train the accounting staff that if they receive a wire-transfer request, especially from the CEO or other senior executive, to assume the email has been compromised. Scrutinize the email requesting a transfer of funds carefully, especially if the request is out of the ordinary. Pick up the phone, or
duped by this scheme. A partner in Mexico would typically invoice the company for growing costs. When the company received an $80,000 invoice from this partner, no alarm bells went off. Neither did the message on the invoice asking that payment be made via wire instead of the company’s historic practice of paying by check. The accounts payable person wired the funds as requested, only to learn later that the funds were actually wired to a bank in Slovakia, and the funds swept out soon after. While the member reported the crime to their local FBI office, the funds have not been Cyber Weapons
of a prospective policy and the policy triggers that will result in the policy paying in the event of a BEC claim.
Spear-phishing . Fake e-mails believed to be from a trusted sender prompt victims to reveal confidential information to the BEC attackers.
Spoofing. Slight variations on legitimate addresses (jack.reily@xyzproduce.com vs. jack.riely@xyzproduce.com) are used to fool victims into thinking fake accounts are authentic. The criminals then use a spoofing tool to direct e-mail responses to a different account that they control. The victim thinks he is corresponding with the company’s executive, but that is not the case. Malware . Software code used to infiltrate company networks and gain access to legitimate e-mail threads about billing and invoices. The criminals use this information to ensure that fraudulent wire transfer request don’t look suspicious to accounting staff. Malware also allows criminals to gain access to a victim’s data undetected, including passwords and financial account information.]
WHAT TO DO IF YOU ARE A VICTIM • If funds are transferred to a fraudulent account, it is important to act quickly: • Contact your financial institution immediately upon discovering the fraudulent transfer • Request that your financial institution contact the corresponding financial institution where the fraudulent transfer was sent • Contact your local Federal Bureau of Investigation (FBI) office if the wire is recent. The FBI, working with the United States Department of Treasury Financial Crimes Enforcement Network, might be able to help return or freeze the funds • File a complaint, regardless of dollar loss, with the FBI’s Internet Crime Complaint Center (IC3) at www.IC3.gov
24 Western Grower & Shipper | www.wga.com JULY | AUGUST 2019
Made with FlippingBook - professional solution for displaying marketing and sales documents online