How FinServ Firms can Prevent Business Email Compromise

Fighting cybercrime has been an issue for businesses across all industries since the early 1980s. Criminals will find any way they can to insert themselves between transactions, especially if those transactions involve a large sum of money. The invention of the internet made it even easier for criminals to intercept funds using fraudulent methods. With digitization, both businesses and consumers communicate and conduct most business-related activities online.

Today, email is the primary and preferred method of communication between companies in every industry as well as their consumers. Although the convenience of delivering and receiving a message within seconds with little effort is what attracted users to this communication method in the first place, email is, unfortunately, the most susceptible to fraud. 

FinConDX 2021

Business email compromise (BEC) tops the list of the most financially damaging cybercrimes today. For example, the FBI reported that BEC scams resulted in over $1.8 billion in losses to businesses in 2020. The numbers continue to rise, with remote work-from-home policies accelerating BEC attacks by 71% over the past year alone.

Cybercriminals are attracted to email for much of the same reasons that businesses and consumers are—it’s quick, easy, convenient and used by so many people. But—perhaps most importantly—email enables fraudsters to remain anonymous and place themselves in between the parties involved in a transaction. If the attack is successful, cybercriminals can intercept the transaction and divert funds without anyone realizing until it’s too late.

Financial Services and BEC

Although BEC is a persistent issue for all businesses, the financial services industry is hit 300 times harder than any other sector. Additionally, wire fraud attacks and BEC have cost financial enterprises more than $26 billion within a three-year period. As cybercriminals take advantage of the pandemic-induced work-from-home policies and hybrid work, losses from BEC continue to rise and are now one of the biggest problems that financial services firms face, including venture capital, private equity and real estate firms. 

Fraudsters use BEC to exploit the fact that we all rely on email to conduct business. Financial services firms use email to communicate with clients, and these emails include sensitive information such as financial instructions, login information, login links and personal information that are sent and received within the body of the message. No matter how financial institutions and clients attempt to transfer sensitive information securely, fraudsters constantly adapt to new methods and technologies to ensure that they won’t miss out on a potential opportunity.

This is especially problematic for venture capital, private equity and real estate firms as they deal with large sums of capital. Fraudsters spend their time carefully crafting a deceptive email to employees and clients of these firms, knowing that many of the associated transactions could involve a large sum of money. In addition to targeting employees with deceiving emails, fraudsters rely on several BEC tactics to intercept transactions. 

Types of BEC Scams

Today, business email compromise, also known as email account compromise (EAC), is targeted and strategic. Rather than randomly selecting people from financial institutions or blanketing an entire firm with random emails, fraudsters try to first understand the financial firm before sending out a targeted BEC attack. BEC can also take several forms. Some of the most common types of BEC include: 

  • Spearphishing—Spearphishing is an impersonation attack targeted to a specific individual, department within an organization or business. Fraudsters target an individual or company and send a deceptive email that appears to be from a trusted source like the CEO, a supervisor, lawyer or vendor. Hackers often target lower-level employees who may not have the experience to differentiate between a real or illegitimate email and are more easily swayed to take action based on the urgency of requests. 
  • Email Spoofing—Email spoofing is a form of cyberattack in which a hacker manipulates the letters in an email account domain and sends an email to a target. When the individual receives the email, the fake email account is so similar to a real one that it seems as though it comes from a trusted source. 
  • Malware attacks30% of organizations reported that more than 50% of links received within an email led to a malicious site. Hackers often insert a file or code within an email to breach a company’s networks and obtain access to sensitive information like email threads, invoices, login information and billing inquiries. Cybercriminals will then use the information to create and send payment requests at strategic times to appear legitimate. 

Preventing Wire Fraud

Financial enterprises need to be more vigilant than ever when it comes to protecting sensitive data. Unfortunately, thinking twice before sending every email and double-checking the validity of an email address can’t always be expected when employees have hundreds or more emails to respond to every week in addition to their daily tasks. Not to mention, if a business’ best line of defense is following “best practices,” it can become very hard to prove that they were followed, and there are few guardrails in place to ensure protection.

But the implications of successful wire fraud and impersonation attacks can cost a company more time and money and lead to permanent damages such as reputation and loss of intellectual property. 

Although companies rely on two-factor authentication and cybersecurity training strategies to combat impersonation and BEC, fraudsters continuously adapt to these updated methods. Today, losses in BEC attacks are higher than ever, while email threats continue to rise to 80% in some sectors. 

MFA and Biometrics

Fortunately, technological innovation has made it possible to take preventative measures further with multifactor authentication (MFA) and biometric verification. MFA is an electronic security technology that requires users to submit multiple authentication methods to verify their identity. For example, users can receive a text or call with a code to verify the user’s identity. MFA adds an additional layer of protection for companies and is a more vital form of verification than 2FA or password security. 

Another form of MFA is biometric verification. Biometric technology verifies an individual based on unique, biological characteristics like fingerprints, voice and/or facial recognition. Since these traits cannot be stolen or faked, companies that use MFA and biometrics can conduct business without having to worry about whether the person on the other side of the screen is in fact who they say they are. 

Financial services firms can now integrate these tools within their workflows to eliminate BEC attacks and wire fraud. With these tools, venture capital, private equity and real estate firms don’t have to worry about changing their workflows or taking days off to train their staff. Together, MFA and biometrics verification can eliminate the threat of impersonation, BEC and malware attacks for financial services firms by requiring users to verify their identity with unique characteristics which cannot be stolen, replicated or faked.

Featured eBook
Managing the AppSec Toolstack

Managing the AppSec Toolstack

The best cybersecurity defense is always applied in layers—if one line of defense fails, the next should be able to thwart an attack, and so on. Now that DevOps teams are taking  more responsibility for application security by embracing DevSecOps processes, that same philosophy applies to security controls. The challenge many organizations are facing now … Read More