Protecting Your Organization from Direct Deposit Business Email Compromise (BEC) Scams

At Smart Computers and Consulting, we've observed a worrying increase in incidents involving direct deposit business email compromise (BEC) scams, as reported by numerous organizations. These aren't your typical phishing attempts. Direct deposit or payroll diversion scams are meticulously tailored to each organization they target. Cybercriminals impersonate an employee by creating an email address in the employee’s name and manipulating the display name to appear legitimate.

How It Works:

1. Impersonation and Spoofing:
   • Gathering Information: The scam begins with cybercriminals conducting reconnaissance to gather information about the target organization and its employees. They identify key personnel in the payroll or human resources departments and gather details about their email addresses and communication patterns.
   • Creating Spoofed Email Addresses: Using this information, they create an email address that closely resembles that of a legitimate employee, often manipulating the display name to appear authentic. For instance, an email from "John Doe" might be spoofed as "johndoe@company.com" instead of the actual "john.doe@company.com".
2. Crafting Deceptive Emails:
   • Personalized Messages: The attackers craft personalized emails that appear to come from a trusted employee, such as a senior executive or someone from the payroll department. These emails request changes to the employee’s direct deposit information, directing the funds to a bank account controlled by the criminals.
   • Use of Urgency: The emails often contain urgent language, stressing the need for immediate action. This sense of urgency is designed to bypass typical scrutiny and expedite the fraudulent request.
3. Use of Authentic Forms:
   • Locating Internal Forms: In some cases, the attackers go a step further by locating and filling out the organization's direct deposit change form. They may access these forms through compromised email accounts, internal servers, or public-facing websites.
   • Adding Legitimacy: By attaching a completed form to their deceptive email, the attackers add a layer of legitimacy to their request. This makes it more difficult for recipients to distinguish the fraudulent request from a genuine one.
4. Timing of Attacks:
   • Exploiting High Activity Periods: These scams are often timed to coincide with periods of high activity within the organization. For example, at the beginning of a new school year, when educators and administrative staff are overwhelmed with preparations, school districts become prime targets.
   • Seasonal Patterns: Other high-risk periods include the end of the fiscal year, tax season, and major holidays when employees may be distracted or on leave, increasing the likelihood of oversight.
5. Sophisticated Deception:
   • Crafted to Perfection: While some of these emails may contain obvious spelling and grammatical errors, others are sophisticated and meticulously crafted, making them challenging to distinguish from legitimate communications.
   • Social Engineering Techniques: Attackers use advanced social engineering techniques, such as referencing recent company events, projects, or personal details, to build trust and credibility in their messages.

Protective Measures and Recommendations

To safeguard against these sophisticated scams, Smart Computers and Consulting strongly recommend that organizations adopt stringent procedures for authorizing changes to direct deposit information. This should include requiring dual levels of approval and obtaining verbal confirmation from the employee making the request. We also urge individuals to exercise caution with email communications, even those appearing to come from known contacts. Verifying requests through a direct phone call to the sender is a prudent step to confirm their authenticity.

Best Practices to Prevent BEC Scams:

1. Dual Levels of Approval:
   • Implementing Checks: Require dual levels of approval for any changes to direct deposit information. This means that no single individual should have the authority to make these changes without secondary confirmation from another authorized person.
   • Internal Controls: Establish clear internal controls and procedures that outline the steps required for approving and processing direct deposit changes.
2. Verbal Confirmation:
   • Direct Contact: Obtain a verbal confirmation from the employee or business making the request. This involves calling the employee directly using a known phone number (not the one provided in the email) to verify the request.
   • Multi-Factor Verification: Implement multi-factor verification methods, such as using secure messaging apps or in-person confirmations, to authenticate requests.
3. Verify Requests:
   • Independent Verification: Always verify requests through a direct phone call to the sender to confirm their authenticity. This additional step can prevent fraudulent requests from being processed.
   • Verification Protocols: Establish protocols for independent verification of email requests, especially those involving financial transactions or sensitive information changes.
4. Stay Vigilant:
   • Red Flags: Be vigilant for common signs of fraudulent emails, such as display name spoofing, unusual language, urgent requests, and unfamiliar sender addresses.
   • Regular Training: Conduct regular training sessions for employees to help them recognize and report suspicious emails. Encourage a culture of skepticism and verification.
5. Awareness and Education:
   • Ongoing Education: Conduct regular awareness and education sessions on these tactics to defend against falling victim to these scams. Provide employees with up-to-date information on emerging threats and best practices.
   • Simulation Exercises: Perform regular phishing simulation exercises to test employees' awareness and response to potential scams.
6. Maintaining Security Software:
   • Up-to-Date Protections: Keep anti-virus software, firewalls, and email filters up to date to reduce the risk of phishing and social engineering attacks. Regularly update security patches and software to address vulnerabilities.
   • Advanced Threat Protection: Implement advanced threat protection solutions that can detect and block sophisticated email-based attacks.
7. Report It:
   • Reporting Mechanisms: File a complaint at IC3.GOV. Reporting a crime makes the community safer and helps authorities track and combat cybercrime.
   • Incident Response Plans: Develop and maintain incident response plans that outline the steps to take when a scam is detected. Ensure employees know how to report suspicious activity quickly.

Stay Informed and Protected

Staying informed and vigilant is crucial in protecting your organization from these targeted email threats. For more insights and support on enhancing your cybersecurity measures, reach out to Smart Computers and Consulting, your trusted partner in safeguarding small and medium businesses and school districts.

Additional Resources:

• Cybersecurity and Infrastructure Security Agency (CISA): Email Phishing Scams
• Federal Trade Commission (FTC): How to Recognize and Avoid Phishing Scams
• Federal Bureau of Investigation (FBI): Business Email Compromise

By implementing these best practices and staying informed through trusted resources, you can significantly reduce the risk of falling victim to BEC scams and protect your organization's financial integrity.