Protected Voices: Business Email Compromise

Protected Voices: Business Email Compromise


Hello, I’m Jay, a program
coordinator for the FBI. In this video I’ll discuss how
to recognize and protect your campaign from a type of fraud
known as business email compromise. In a business email compromise
scheme, the hacker gets to an organization’s email system and,
after watching and studying the normal course of business for a
little while, injects his or her own email text into
a conversation. How might this happen
in a political campaign? An attacker could use a vendor’s
own email account to send new payment instructions to the
campaign’s billing office. If the instructions come
from a known email account, the campaign might be fooled
into honoring them. Want some real world examples? One U.S. business was buying
products from its regular Chinese manufacturer when it was
tricked into wiring a payment of more than $150,000 to a
fraudster’s account in a bank not used by the
Chinese business. Another U.S. business lost
$140,000 after negotiating a deal with a vendor and paying $20,000
for the initial fees. After the initial fees were
paid, a fraudster – who’d hacked into the vendor’s account
– instructed the U.S. business to make the final
payment to a Hong Kong bank
account he controlled. Business email compromise has
evolved from an email spoofing scam – where a fraudster creates
a spoofed email thatlookslike the original, by, for example,
replacing the letter “o” with the number zero. Political campaigns could be
particularly vulnerable to business email compromise
because of the constant flow of money into the campaign from
relatively unknown donors and the large number of invoices
from vendors throughout the campaign. Protecting yourself from
business email compromise is a two-front effort.
You need to: Defend your own email accounts
to keep an hacker from
impersonating you. Get into a habit of evaluating
incoming emails for compromise. Here are some specific steps
your campaign can take to protect itself from business
email compromise: Lock down your campaign’s
email accounts. Use multi-factor authentication,
strong passphrases and secure Internet connections. See our other Protected
Voices videos for help. Keep campaign accounts separate
from personal accounts. While any email can be
compromised, separating accounts minimizes the number of
entry points and keeps problems from
spreading. Establish out-of-band
communication: Use some other form of communication, such
as a telephone call, to verify transactions over a
particular dollar amount. And set up this verification
process early in the campaign’s relationship with
the firm in question. Furthermore, don’t use email to
set up the verification process. Confirm significant changes:
Beware of sudden changes in business practices. For example, if a campaign
vendor suddenly asks the campaign to contact him or her
at a personal e-mail address when all previous official
correspondence has been on a company e-mail, verify via other
channels that you are still communicating with your
legitimate business partner. Consider using forward instead
of reply: Instead of hitting reply on important emails, use
the forward option and either type in the correct email
address or select it from your email address book to ensure
you’re using the real email address. Consider adding a banner to
flag emails that come from outside your campaign: This is
a simple way to remind campaign staff members and volunteers to
give a little extra scrutiny to external emails. It can also identify when an
hacker creates a fraudulent domain that looks similar to the
campaign’s legitimate domain. Business email compromise can be
both expensive and embarrassing. Fortunately, there are many
steps your campaign can take to lower your risk. Remember, your voice
matters, so protect it.

You May Also Like

About the Author: Oren Garnes

Leave a Reply

Your email address will not be published. Required fields are marked *