Protect Against Business Email Compromise scams

In a June 2021 update, the Singapore Computer Emergency Response Team (SingCERT) noted an increasing trend of Business Email Compromise (BEC) attacks in Singapore.

In the first nine months of 2019 alone, the police received 276 BEC scam reports, with at least S$32 million lost – a 1.5 times increase compared to S$19 million lost in 2016! The rise of such scams is taking place on a global scale, and not limited to Singaporean businesses alone.

As more business activities shift online today, there are even more opportunities for such cybercrimes and scams. It’s crucial that you spot these easily to avoid falling for them.

What is Business Email Compromise (BEC)?

Business Email Compromise (BEC) is an email-based scam technique designed to trick employees into making fraudulent money transfers.

As they use sophisticated deceptive methods to extract money from a victim, BEC scams can be difficult to identify. According to the Federal Bureau of Investigation (FBI), BEC scams also tend to be the costliest for businesses.

With the potential for large pay-offs, scammers are willing to go to great lengths to study a targeted business in-depth to uncover operational loopholes or weaknesses. This includes researching company financials, employees, and vendors in detail – which is why it’s important that you protect yourself well.

How scammers pull off a BEC scam

Scammers usually request for fraudulent transfers via spoofed email addresses. They typically impersonate employees or vendors to ask for salaries or invoices to be transferred to fraudulent bank accounts.

The Singapore police recently revealed a scam variation in Singapore, where scammers pretend to be their victims’ supervisors. Scammers ask their victims to purchase iTunes or Google Play cards and send them the redemption codes. Victims would therefore lose the money they spent on the cards.

More sophisticated tactics involve targeting critical financial information such as unpaid bills and accounts receivables, which makes scam emails more realistic.

Scammers also use spoofed lawyer email accounts requesting payment on behalf of companies for copyright infringement. They may also spend time to “groom” their targets by liaising with them a few times to gain their trust first, before requesting for payment.

BEC attacks are also becoming more technologically advanced, incorporating malware to gain control of actual enterprise email accounts.

A typical BEC scam scenario

Adam, an F&B business owner, receives an email from his long-term supplier, Ben. Ben informs him that his company recently opened an account with another bank and would like Adam to make payments on outstanding invoices to this new account.

Adam reviews the items on past invoices and initiates the payment to the new account.

A week later, Adam receives another email from Ben claiming outstanding invoices still remain unpaid. Upon further inspection, Adam realises that he has fallen prey to a BEC scam.

Adam realises that the fraudster’s email was Ben-Lee@gmail.com. Cross-referencing it to previous emails from Ben, he sees that the actual email address is Ben.Lee@gmail.com.

Common red flags to look out for in a BEC attack

While there are obvious tell-tale signs of a BEC attack, victims are usually unsuspecting. This is why it is good business practice for all employees to be aware of the most common red flags.

• Spoofed email accounts
  
  Spoofed email addresses used by the scammers may not be obvious at first glance. They often include very minor misspellings or replacement of letters.
  
  These are some examples:
  
  

  Genuine email account	Spoofed email account
  123@gmail.com	l12@gmail.com
  abc@deshipping.com	abc@deshpping.com
  lisa@faber.com.cn	lisa@faber-cn.com

• Emails with unusual formatting and spelling/language issues
  
  While these errors may be the result of a careless sender, it could also be from someone unfamiliar with industry lingo or from a different country, where English is not the native language.
• Sudden request of changes to payment methods
  
  Extra attention should be given to any sudden requests to change payment methods, such as to change a receiver’s bank account details or similar finance-related information. Similarly, emails from company management that bypass standard protocols should also be considered suspicious.

Avoid becoming a victim of a BEC attack

As work from home remains a feature of the current working landscape, many companies will likely continue processing payments remotely. These new arrangements may possibly result in less or no supervisory oversight, and scammers will likely take advantage of this to attempt to perpetuate more BEC attacks.

By simply being extra vigilant, you can greatly reduce the likelihood of becoming a victim of a BEC attack. Here are some simple measures you can adopt:

1. Employee education, especially for those handling finances

Educate your staff on scams and teach them to be mindful of any new or sudden changes in payment instructions and bank accounts. Employees with access to confidential information and/or company finances are the likeliest targets for BEC attacks. Such employees should be prioritised for relevant training related to cybercrimes.

2. Ensure a two-factor verification process for any change in finance-related requests

As a rule of thumb, any finance-related requests from vendors and employees should incorporate a secondary confirmation process. This should preferably be via a separate medium, such as a phone call, text or in-person verification. Only use previously known contact details, rather than relying on any information conveyed within an email.

3. Maintain regular system hygiene

Install and maintain the latest anti-virus software on your mobile devices/computer. Do not click on hyperlinks, attachments provided in emails or mobile messages (e.g. SMS, WhatsApp) from suspicious or unknown sources.

It is also important to ensure you only install the latest updates for your device(s) from legitimate sources such as Play Store or App Store. This is because app updates are sometimes used to fix bugs and address security vulnerabilities.

4. Keep your contact details up to date

Update your contact details via Velocity@ocbc so that we can send you important SMS alerts or email notifications related to your accounts and banking transactions.

5. Report all suspicious activity

Call us immediately at +65 6538 1111 if:

• You suspect any fraudulent activity occurring in your account, which may include your OTP, card, or account details being compromised.
• You receive an SMS or email informing you that a funds transfer has been made (which were not initiated by you), or if you receive a notification that your contact details were updated online without your knowledge.

Stay vigilant and keep safe. For more information on BEC scams, as well as other types of cybersecurity advisories, visit scamalert or SingCERT.

Tap on relevant support to upgrade your cybersecurity system

Lean on the Infocomm Media Development Authority (IMDA) to improve your company’s IT infrastructure. The SME Digital Hub offers a resource where you can seek advice from cybersecurity specialist consultants with over 30 years of experience.

These consultants can also guide you to the pre-approved cybersecurity solutions covered by government funding support. The Productivity Solutions Grant (PSG) is another available programme for SMEs to onboard relevant cybersecurity solutions, with up to 80% government co-funding till 31 March 2022.