Business Email Compromise (BEC) is among the most pervasive cybersecurity threats facing financial institutions today. In 2018, the FBI issued a report called, The Internet Crime Report (IC3) outlining the most substantial dollar losses for all reported internet crimes during that fiscal year. The sum of those losses more than doubled-year-over-year to more than $1.2 billion, averaging $63,000 per cyber incident.
Cyber insurance carriers confirm these figures. According to recently compiled data in a published report by Beazley Breach Response, statistics show a 133% increase in cybercrime incidents that began with email compromise from the previous fiscal year. Almost a quarter of cybercrimes handled by cyber insurance companies originated with a BEC incident, a figure that more than doubled in less than one year and continues to climb.
We based the following guide to stopping BEC upon expert advice attained from financial industry executives with rich experience in financial controls and just now work for money transfer firms that regularly billions of dollars a year.
Protecting your company from Business Email Compromise
Why safeguard your organization from BEC? Foremost, wire fraud remains a persistent threat, and it usually starts with a compromised email account. Expert cybersecurity analysts explain that there are essentially three core pillars to Business Email Compromise and wire fraud prevention.
We’ll later discuss these approaches to BEC in more detail, but they are as follows:
- Fully Committed Management
- Two-Factor Authentication Verification (2FA)
- Impenetrable Release Procedures
Preventing BEC is fundamentally a task reserved for your company’s leadership team. Success at preventing BEC and wire fraud is inextricably tied to management staff committing to cybersecurity protocol. Only after management “buys in” to the cybersecurity program, as it were, are they able to set a consistent example that permeates throughout the entire company.
If your leadership staff elects to cut corners on data security, this places the company at considerably more risk for Business Email Compromise. Senior technicians at PCH Technologies iterated to us that when managers circumvent network security protocol, it conveys the message that, concerning financial control practices, these protection measures are merely guidelines. In this scenario, the company remains at substantial risk for BEC and wire fraud incidents.
Loose practices in cybersecurity within a financial institution can be hard to reconcile, given the cost associated with a BEC event. However, it’s a pervasive problem among many companies and their financial operation controls. Criminal cyber attackers target businesses reputed for having a less than discerning application of financial controls. If your leadership team fails to adhere to sound cybersecurity protocol, as established by company policy, the remainder of your employees will likely follow suit.
Dual-Factor Authentication Verification
A vast and increasing supply of companies are turning to Two-Factor Authentication (2FA) and Dual Release Controls to verify and secure their customers’ credentials. Indeed many financial institutions have made it mandatory before sending money out of a bank account.
The purpose of Dual Factor Authentication is to instigate hard mechanical controls on customer account access and money moving activities. The primary upside to such requirements is that the program is hard-wired in such a way that it can’t be circumvented through an alternative process unless, of course, the customer is manually verified by the financial institution by phone, chat, or other secure internal modes of communication.
Organizations that deliver commercial banking and money transfer services but do not offer Two-Factor Authentication via an authenticator application are providing a considerably less secure service than those that require 2FA.
The only reliable path to preventing BEC is to provide some combination of hard financial controls and soft procedural controls. Effective use of 2FA requires consistent engagement across the board and without exception. Banks who fail to supply consumers with these controls are practicing outmoded security protocols and should consider upgrading their procedures sooner rather than later.
Impenetrable release procedures
Some banking and money remittance executives may object to implementing additional soft controls because they are resource-intensive. The controls outlined in this section, however, amount to little more than 45 additional seconds for every approved transaction.
The best practice and framework for approving and releasing a wire is as such:
- Establish a secure internal channel for your finance department to initiate and release wires
- Generate a basic template for initiating and releasing ACH transfers and wires
- Should any of the above steps become impossible, call the customer by phone
Expert resources are available
Fortunately, Business Email Compromise and wire fraud are highly preventable cybersecurity threats. There are several options for advanced software and machine learning on the market to bring your financial organization up to date.
PCH Technologies offers cutting-edge cybersecurity solutions to leading financial organizations, including machine learning to better protect them from the growing threat of cyber incidents resulting in wire fraud.
Schedule a quick discovery call with PCH Technologies by calling 844-754-7500 to learn more about how their experience and expertise can protect your financial institution from Business Email Compromise today.