Business Email Compromise (BEC) Scams

Yeah, that’s a really good point. We were in meetings actually with a cyber liability insurer at the office here, and we talked about that you are now, there was a period where cyber was considered new and you think about the target attack and it hit mainstream news, and then cyber went quiet for a really long time, and now it’s on the forefront, you can listen to the news, they’re talking about data breaches. There was another very large and it had a breach, it’s on the news now and so it is top of mind you can’t ignore it. You can no longer pretend you didn’t know what it was or much about it. But despite all the information out there, there’s just still a giant misconception as to what is it? What does it entail, what are my risks? And as evidenced by when we beat the door down, as you said, we often find ourselves faced with trying to explain that when we’re talking about cyber, we’re not worried about your backups.

The idea that you say, oh, all of our data is stored off site, we’re fine. That’s not what this is. And then we don’t do a lot of credit card transactions or we don’t store any credit card information. And I just wanted to spill that myth, that is also not what we’re talking about. We’re not concerned with that at all, I mean, backups are assumed. In fact, if you didn’t have backups, there’s no cyber liability insure anyway, that’ll quote you. So the idea that I say my data, it is not we’re talking about, so we’ve developed this guide that really explains in layman’s terms, if you have a breach, what is actually going to happen to you? What is it going to look like? And for the most part, it’s Business Email Compromise, that’s where it starts, or BEC scams. And so we’ve got this guide that we’re happy to distribute to anyone that wants to learn more, but I think it really does a great job of just walking you through what happens, how are you targeted, why are you targeted? What are they after? How do they know they’re after it? And so we can send this out, you can read it. It’s something that you could distribute to the whole organization and just ask people to have a quick read. It’s not a detailed incident response plan. There’s nothing that anyone has to do, but it’s full of these kind of ahh-type moments in here of what we are talking about when you have a breach, why they do it and what the result is, ultimately.

I get a thought that comes to mind here when you’re doing it, and it’s kind of a throwback to the 50s of Desi Arnaz saying to Lucy, “You got a lot of ‘splainin to do here”. You must be very frustrated when you look at business people and all they hear is, you’re talking away and they hear “Wa wa wa”, and this cybersplaining that’s going on. I mean, it’s as much about education as it is about identifying the threats, isn’t it? It’s just trying to get people to get their head around understanding the breadth and the width of this challenge that we’re all facing.

Yeah, a tough one, right? Because you think just to use Target, very, very old breach. I mean, let’s assume that Target would have a larger IT budget than, and so to be able to say, well…

This is Target, the department store in the US, I mean major big publicly-traded retailer known globally.

Exactly. So is it honestly possible that a smaller enterprise as it all figured out, and giant Target just didn’t have backups? They didn’t malware protection, it is a targeted attack. In fact, I haven’t mentioned this in years, but I actually met and worked with the broker who handled the claim from the plumbing and heating company that caused the whole Target breach and all it was, was a very simple business email compromise. And so they thought they were dealing with Target and sent some things to Target they shouldn’t have. So they let the malware in passed it along, and that’s that.

When you talk about, again, Business Email Compromise scams, all this is a cyber criminal, impersonating what seems like a legitimate source, like a senior level employee supplier, vendor partner, ad rep, someone that you regularly do business with. So gone are the days where it’s the Saudi prince that’s going to send you millions or the misspelled or odd looking letters, they don’t do that, they put a lot of time and effort. And the average cost across North America of a successful BEC scam is $4.9 million, and so they put the work in. So how do they get there? How do you become a target? Well, it’s not mass email. It’s not because you’re on a dark web. They pick you out. They go to your company’s website, they look at your LinkedIn page, they look at key individuals. They want to know their social media profiles. What they do, they want to know the hierarchy within the organization.

I mean, they read every email post every company bulletin newsletter, and then they come up with a plan of attack. And to make matters worse, with the help of AU, they could do this in seconds, what used to take months. They can do in a few seconds all that intel, but it’s all very deliberate because they’re looking for key people in a vulnerable situation working on a known subject. So how does it start? Ton of research. Then when the research is done and they know as much as they can about the organization, they pick a target one person, they deliberately go after one person that they think they can influence and they’re very good at it. And all the eggs go into this basket and you are the focal point prior to launching the attack.

All right, we’ve got to take a little break here, but you made a comment or a statement that I want to really come back and pursue when we come back and you said “they” meaning the bad guys, put the work into it, and I guess we can learn from that, so we’ll talk about that. You’re listening to Risky Business Commercial Insurance with Butler Byers. We’re going to take a little break, back after this.

Welcome back to Risky Business Commercial Insurance with Butler Byers. This is Paul Martin, and joining me, Colin Rooke, the Commercial Risk Reduction Specialist with Butler Byers. And just before the break, you alluded to the fact that the cyber attacker, the criminal puts in the work they do, the research, they prepare to take you on, to come at you at a very pointed, deliberate process. And I guess the message in that for business owners is you too have to do the work to protect yourself to repel or rebuff these attacks. Is that a fair comment?

Yeah, really good point. I mean, they’re going to spend a ton of time learning about your organization before they select an individual and they launch malware, malicious malware. And so by the time that person is selected, they’ve got a lot of, well, they have a big investment in this breach. And so back to why this guide was developed, this is part of the answer. This is part of the mitigation of a potential attack to at least understand what’s happening and why it is pretty common for executives to blame someone in the front office for it was probably this temp worker wasn’t paying attention and clicked something they shouldn’t. Nope, not true. They want the accounts of individuals that has access to funds, access to sensitive data, HR personnel that has payroll and employee data. They’re after the top. This is not an entry level position type scam.

It’s an interesting point is that you will talk to the business leader in an organization. They may have a couple of hundred employees. In all likelihood, the message you delivered to the owner or the CFO doesn’t probably leave that office, it’s not transmitted through the organization. But at the same time, as you say, it’s people with access to the funds that are the target. So it’s probably the leader who’s actually the most vulnerable in all of this, which is ironic, isn’t it?

I can say with certainty that I don’t have a real stat here, but I’ll say most of the time the person that I am speaking to about the nature of the risk is also the one that calls me saying, “I made a mistake and I don’t know what to do”. But for those that are uneducated, they typically would say, “Well, it won’t be me. It’ll be someone under me”. But it doesn’t make any sense to target someone with no access. I mean, if you’re going to impersonate someone, if you’re going to trick someone into moving a large sum of money, it’s going to be CEO asking CFO. It’s, there’s going to be an urgency to it. And furthermore, and why we have this guide is you’ll say, well, years ago there was this fraudulent email that came through that was loosely looked like Paul Martin, a whole bunch of spelling mistakes, some verbiage in there that I knew it wasn’t Paul, I deleted it and I learned my lesson, nope. When they launched the malware, not only do they follow, so when they pick their target, launch the malware, they follow everything you do, and then they learn who you interact with most. And then they launch malware to follow those people. And by the time they’re ready to trick you, they know how you think, what you do when you do it. And they also know how the other end responds. Each and every time. They are experts, they know more about your patterns than you would know about your patterns. And then when these mistakes happen, it just seems like a regular course of business. You transfer a fund, you accept something from someone else. Oh, there’s a little hiccup. Please call the bank. You call the bank, you’re not talking to the bank. The bank sends another account number. You send it to that account number. Sometimes they go for a third. I still didn’t get it. I don’t know what’s going on here. Try this one. And then at some point someone says, Hey, stop. I’m a little worried about this money. And then you look into it, you never spoke to the bank. It never went where you thought, and either you have a breach, the fender has a breach, but you’ve been tricked. And I guess that’s what I want to dispel today, that in order to stop this from occurring, you need to understand who is targeted, why they’re targeted, and what types of tactics they use. A super interesting one that I guess really isn’t talked about. Well, actually two, data theft. So you’ll get an email from what looks like your own IT people saying, “We’ve got a breach on the go. Please change all your passwords and do it quickly”. And again, you’re not even speaking to your own IT. You think you are, you change all the passwords, you’re being monitored and they steal. Or another one, how many people would question an email from their attorney? And so the attorney impersonation email only comes to you in the event that you’re regularly working with an attorney. So you’ve got some litigation underway, you’ve been writing some big checks for some time now, and lo and behold, a big check around the time they would ask for the money or an attorney saying, we’re able to settle, my advice is to do the following. You call the attorney, the attorney answers, that’s AI, you send the settlement, is all fake. And so this guy, again, goes through all that so you can understand how the cyber criminal thinks at minimum. So then you can prepare yourself better when it happens to you.

So I mean, this sounds a little bit daunting, right? I mean, not a little bit, a whole bunch daunting for average. We got real lives to live and we’ve got real businesses to run and to spend the time trying to grasp this as one of likely a dozen threats we have to worry about. This is why you’ve come up with this guide. You just make it really easy for people to, you short circuit the system really by just making, here’s a quick thing is how long would it take me to do it? What would I get out of it?

Yeah, you can read it in five to 10 minutes. It, it’s not designed to be exhaustive, but it’s pretty all encompassing. You would certainly get the gist and there’s help in there. It’s not all, “This is what it is, this is how they’re going to get you”. It does talk about what you can do. And Paul, you and I have joked about this and we’ve talked about it on shows, but if the attorney reaches out urgently with a settlement, “Write a check, write a check”, and if the attorney says, “Oh, that wouldn’t be possible to take a check. We got to have this thing firmed up in the next 17 minutes. Do a transfer”. You say, “Not a chance”, but they get you. They know your patterns, they know what you’re stressed out about, they know what’s on your mind. But yeah, so this guide walks you through what it is. It’s easy to circulate. You could put it right into your employee handbook, have people sign off on it once or twice a year. They got to read through and sign off, but you’ll at least leave knowing, okay, I’ve got the basics. I’ve had a crash course, a mini masterclass in what Business Email Compromise scams are, how it is how they’re going to get to you. And yet there’s still this myth out there that I know I’m not going to download a zip file, nothing good comes from zip files, no one uses them. That’s right, they don’t. But they do use Dropbox and it’s going to come from someone that regularly sends Dropbox files.

All right, well, a bit scary. But you know what? You can protect yourself. It is about, the bad guys are going to do the work, you might have to do a little work yourself. You’ve been listening to Colin Rooke, the Commercial Risk Reduction Specialist with Butler Byers. Today, we’re talking about Business Email Compromises and a guide that you can call him up or his office and his team and just ask for a copy, and he’d be pleased to supply it to you. I’m Paul Martin, this is Risky Business. Thanks for joining us, we’ll talk to you next time.