The U.S. EPA OIG issued a fraud alert (attached) to highlight the all-too-common and costly form of phishing known as business email compromise (BEC). In this convincing scam, criminals are using fraudulent emails that appear to come from known and trusted sources to access company email accounts and target organizations that make or receive financial transactions. These emails may originate from lookalike, or spoofed, email accounts or legitimate email accounts compromised through phishing campaigns. Using information obtained from successful phishing campaigns to impersonate a representative of the trusted entity, the criminals deceive personnel into transferring funds or sensitive information under the guise of a legitimate business request.
The EPA OIG offers the following guidance that can help your organization protect against BEC:
- Create organizational policies for receiving new payment instructions, including a multistep process to verify new payment instructions.
- Employ email security systems that can detect phishing attempts, domain spoofing, and other cyber threats, and use two-factor authentication to combat account compromise.
- Train staff regularly on cybersecurity best practices and how to recognize phishing emails and require them to report phishing attempts—even seemingly minor ones.
Similarly, CISA recently shared its “Cybersecurity Emotions” series which details the social engineering tactics that threat actors often use when employing threats such as BEC mentioned above. Each “emotion” is effectively described and explained allowing relatable resources to help train users to recognize these common tactics.
For more details about the Fraud Alert, see the U.S. EPA OIG official site.