- by Stuart Fuller, Head of Brand Services -
“Scammers posing as government agencies and local universities made off with $749,000 worth of goods after duping companies into delivering them.”
The location may have changed but the narrative could be the same the world over in the current pandemic situation where fear, uncertainty and doubt have replaced caution, prudence and process in many organisations. The story relates to the situation in Singapore, a country known for the low levels of crime and respect for the law. That in itself is part of the issue as organisations have been too trusting in handling orders, taken in by fake purchase orders and dispatching goods and services without proper verification.
Singapore certainly isn’t alone in seeing a massive rise in purchase order fraud during the last six months. The global pandemic has forced many organisations to work in a remote fashion which has impacted some of the established governance processes and led to a fragmentation both in approval processes but also payment verification.
The rise in Business Email Continuity scams (BECs) follows the same patterns, praying on organisations whose normal authentication methods have been disrupted by the current situation caused by COVID-19.
The FBI's Internet Crime Complaint Center's annual cybercrime report, released in February 2020, found that BEC schemes accounted for about $1.7 billion in losses in 2019. This number will have increased massively during 2020, with the Anti-Phishing Working Group reporting that the average loss from a BEC scam had risen by over 48% from Q1 to Q2 this year, to $80,000. Whilst to many global firms this is a small almost negligible amount, to the millions of SMEs this could be a terminal event.
A recently uncovered Business Email Compromise scam has netted scammers more than $15m worldwide, according to risk analysis firm Mitiga. The scam has duped more than 150 organisations so far, using typosquatted domain names to make the requests to send payments look genuine.
In order to appear professional and authentic we all send emails that have our signature, and the requisite wording on related to the status of our company - for instance any organisations that are listed on a stock market need to ensure their employees have a disclaimer as part of the signature. Fraudsters obtain this information and use that to give their scam emails authenticity. For someone who is used to making payments or dispatching goods based on an email request, they may not think twice when they receive such an email, ignoring the typosquatted domain in the address.
Employee education into the risks of BEC and purchase order scams is essential - organisations should be regularly highlighting cases, the impact and how to spot the fraud to all staff. But having an effective domain name monitoring solution that is able to detect common typosquatted domains, including homoglyph using mixed script (where an I may actually be a î or ï for instance) is also essential and one of the most cost effective defensive measures that an organisation can take.
Setting up a BrandShelter Domain Name Monitoring solution is fast and delivers results quickly to organisations who want to not only reduce the costs of managing so many defensive domain names within their portfolio but also stay one step ahead of the cyber criminals and their plans to defraud.