Cybersecurity Alert: BEC Scams and Tips to Avoid Being a Victim
By Hanne-Lore M. Gambrell & Craig S. Horbus on May 13, 2019
Last week, leaders at St. Ambrose Parish in Brunswick, Ohio reported that sophisticated hackers stole approximately $1.75 million from the church that was slated to be used for renovations.
Father Stec wrote a letter to the local news stating that he had been contacted by the contractor which had been retained to renovate the church, stating that they had not been paid for the last two months. The Parish was surprised to learn that the payments had never been received by the contractor.
The FBI and Brunswick police then discovered that hackers had compromised the Parish’s email system. A masked email appearing to be from the contractors had been created to convince the Parish and its bank to wire money to a fraudulent account overseas.
Unfortunately, this is just one of many recent attempts by hackers to intercept and redirect wire transfers. Brouse McDowell’s cybersecurity team has seen a number of people and businesses victimized by similar business e-mail compromise scams (BECs) skyrocket. BEC scams are difficult to detect because scammers are many times using real email accounts that they have compromised and gained access to, so the information appears to come from a trustworthy source.
The following are some tips to avoid being caught in a BEC scam:
- Be suspicious of requests for secrecy or pressure to take action quickly. Hackers often target events to occur when key members of the team are out of the office.
- Always confirm wire requests and try to find a second phone number online; hackers will frequently include fraudulent masked confirmation phone numbers in their emails.
- Be aware of a sudden change in businesses practices. In many BEC scams, hackers have compromised the email systems months in advance before the fraud occurs as they monitor the emails for opportunities to strike.
- Scrutinize all email requests for anything out of the ordinary. If an email request seems suspicious, it probably is.
- Do not send a wire transfer without confirming the receiving bank’s swift code.
Brouse McDowell cannot stress how important it is for our clients to maintain best practices when it comes to data privacy and cybersecurity; we are here to help navigate these tricky waters. Brouse McDowell offers legal services related to data privacy and cybersecurity, including pre-breach and cybersecurity planning services, cybersecurity and data privacy transactional services, data regulatory compliance services, breach response and disclosure obligation services, cyber liability insurance review, and any related litigation issues regarding cybersecurity and data breaches (investigation, defense, insurance recovery and response). Contact us for more information.