Do you know who’s sending you emails?

How to spot and protect your company from Business Email Compromise

There’s a cyber threat in your inbox. It’s Business Email Compromise (BEC) or CEO fraud, and the FBI says thieves are using your own company employees as their accomplice. There have been over $1.2 billion of recent BEC reported losses to the FBI, so this is not a small issue. And because BEC is often excluded from cyber policies, it’s important to understand what it is and how it can be minimized.

BEC or CEO fraud relies on cleverly mimicked emails that appear to be from a high-level company executive, company lawyer or advisor, or even a trusted long-standing supplier requesting time-sensitive or confidential financial transfers, typically in the form of a wire transfer. By the time the transaction, which can be in the thousands or even millions of dollars, is discovered, the thief has moved onto the next target. A simple cut and paste of official email templates and an unsuspecting, trusting employee is all a criminal needs to be successful. The email is often part of other communication as well—phone calls, phantom websites and attachments on official-looking letterhead. All this is done to reinforce the appearance that the request is completely legitimate.

Because BEC involves sophisticated manipulation of your employees, be sure to talk with your own insurance agent about potential coverage you may want to consider carrying, specifically Social Engineering Fraud coverage. While many assume that forgery coverage, computer fraud coverage or funds transfer fraud coverage should be sufficient protection, these coverages have been considered inapplicable in some cases because the wire transfer funds were freely and fully issued by a company representative, not by the thief. Because cybercriminals take advantage of human nature, it may turn out that your best defense against BEC is simple education and implementation of procedures requiring verification of any financial transfers, regardless of their “time-sensitive” or “confidential” status. As is often the case, an educated employee base can be your best risk management investment.