The war in Ukraine—and the entire geopolitical situation in general—has altered the cybersecurity landscape. While most people probably think of fraud as something that affects their finances, the reality is even more far-reaching.
Fraud is not just about your business losing money; the downstream impacts can be devastating. The funds taken from cyber fraud schemes are often used to pay for hostile and unsavory acts such as wars, terrorist attacks, organized crime and human trafficking.
Fraud is the endgame, but business email compromise, or BEC, is often the starting point. And company executives may be leaving their companies—as well as their families and themselves—much more vulnerable to attack than they think.
How BEC works
BEC involves a comprehensive attack in which a bad actor takes over or spoofs a business email account in order to initiate fraudulent transactions. Typically, the fraudster sends an email message that appears to be from a known source making a legitimate request.
While fraudsters often target companies, they can also target specific individuals, including top executives and rank-and-file personnel in key positions. Business leaders are prime targets because of their positions and their authority to compel others to fulfill a request. In fact, any employee can be a target. People in accounts payable roles, for example, can be especially vulnerable as they’re the ones responsible for executing payments.
Fraud is a full-time job for criminals. They’ll conduct research about their targets—including studying their social media behavior to learn more about them and their habits—and then determine the right time for an attack. They’re also patient and diligent, willing to lurk within a company’s systems for months (or longer) until they spot their opportunity to strike.
Once they obtain funds, typically they are taken off the grid almost immediately. The money they steal is often funneled through cryptocurrency exchanges or through foreign financial institutions. By the time you notice money has disappeared from your ledger, it’s likely untraceable. Also, because these crimes originate in your company’s (or your personal) email system, your bank can’t monitor activity for warning signs. Bank mitigation fraud tools can monitor for financial irregularities, but that may be after the money has disappeared and is no longer recoverable.
Protecting your company and yourself
While BEC is an insidious crime, there are some fundamental mitigating measures companies and individuals can take to protect themselves, such as implementing two-factor authentication and following documented processes and thresholds for email payment requests. Importantly, when it comes to safeguarding your company, it’s also crucial to safeguard your personal information.
Executives often post information about their personal lives online, and criminals will leverage what they discover about an executive’s family to facilitate their crimes. Even something as seemingly innocuous as naming your family members in your company bio can provide an opening for fraudsters to exploit. Ultimately, being cautious about what you share online can help protect both your family and your company.
While it may seem like hyperbole, you’re also helping to protect society at large. While falling victim to a BEC puts your company’s finances, systems, data and reputation at risk, it has an impact beyond your organization. The world order is changing, and global cybersecurity concerns are evolving and increasing. A single compromised email could lead to a fraud scheme that bankrolls a devastating global event. Given the stakes involved, combating fraud is every company’s and every employee’s shared responsibility.
Ash Khan serves as head of enterprise fraud management for the Financial Crimes Unit of BMO. Learn more at commercial.bmo.com.
