BEC attackers rely on social engineering tactics to trick unsuspecting employees or executives. Often, they impersonate the CEO or an executive authorized to do wire transfers. They carefully research and monitor potential target victims and their organizations to know exactly whom to target and how to appear legitimate in their efforts. Common types of BEC scams include: 1. Bogus Invoice: Attackers pretend to be a legitimate supplier requesting fund transfers or payment for an account or a false invoice. 2. CEO Fraud: Attackers pose as the company CEO or CFO and send an email to employees in finance or accounting requesting money to be transferred to an account under the attackers’ control. 3. Account Compromise: An executive’s or employee’s email account is hacked and is used to request invoice payments to vendors listed in their email contacts. Payments are then sent to fraudulent accounts. 4. Attorney Impersonation: Attackers pretend to be lawyers or someone from the law firm in charge of crucial and confidential matters. These requests are often sent by email or phone at the end of the business day. 5. Data Theft: Attackers target employees in HR or bookkeeping to obtain personally identifiable information or tax statements from employees and executives. Such data can be used for future attacks. 6. Employee Payroll Direct Deposit: The fraudster contacts your payroll or accounting department, pretending to be an employee, to request that their direct deposit information be changed to a new account. The fraudster receives the payroll deposit, then closes the account and disappears. Most of these scams don’t involve clicking suspicious links or opening untrustworthy attachments. They can appear entirely legitimate, bypassing spam or junk filters and reaching their intended targets unimpeded. It is also important to note that many of these scams are typically not covered under most commercial property and casualty policies, except for a good cyber liability policy. It is vital that you and your management team follow these critical precautions: • No wire transfers should be made without first verbally confirming them with the owner or someone who can attest to the legitimacy of the request and the specific transaction. Remember, once funds are transferred, it may be impossible to reverse or get them back! • All invoices should be verified before payment, even if they appear legitimate. Keep in mind that the perpetrators may impersonate a vendor you already do business with. • Never assume an email is from who it appears to be if it requests funds or payment. Always verbally confirm this information prior to transferring funds. • Do not complete a request to change an employee’s direct deposit information until you confirm it with the employee directly. Over the past several years, we have seen experienced owners, CFOs and controllers all be taken in by one or more of the BEC scams covered here. Scammers are excellent at deceiving you into believing they are legitimate. Requiring your managers to follow the recommended precautions can go a long way toward protecting your business from scams. Please do not hesitate to contact me or any member of the insurance team for assistance or answers to specific insurance questions. You can contact me by calling (678) 428-9247 or emailing shawn_presnell@gada.com. You can contact David Crew, GDIC account executive of Middle/South Georgia, by calling (470) 303-9051 or emailing david_crew@gada.com. You can contact Matt Martinez, GDIC account executive of Atlanta/North Georgia, by calling (770) 570-8212 or emailing matt_martinez@gada.com. 11 THE GENERATOR
RkJQdWJsaXNoZXIy MTg3NDExNQ==