There’s a tendency among some executives to think about business risks as a singular, monolithic problem. Either that, or they tend to direct their attention away from their most pressing threats.
For instance, a new global survey of 1,500 business leaders conducted by Microsoft found cyberattacks to be their top business concern. Seventy-nine percent ranked it in the top five worries; of those, 22 percent said cyberattacks were their number one business concern. Criminal activity like theft and fraud, on the other hand, was much further down the list, with only 37 percent of respondents saying it was in their top five concerns.
While cyberattacks are a serious matter, fraud attacks should be right up there, too. Part of the problem is the pace at which fraudsters develop new methods of carrying out attacks. You may be familiar with some tactics like synthetic identity theft or account takeover. However, one sophisticated new tactic—business email compromise—is becoming a major problem for online retailers, especially as the holidays draw near.
What is a BEC Attack?
With a business email compromise (or BEC) attack, the fraudster is not impersonating a cardholder. Instead, you can think of it as a kind of digital wire fraud.
The perpetrator uses a variety of tactics to gain access to an official email account. They may use spear phishing tactics to steal login credentials from a valid user. More and more, fraudsters are skipping this hurdle and simply using artificial intelligence (AI) to mimic emails of accounts they are impersonating. Then, while impersonating the owner of the account, the fraudster can spoof employees and customers into participating in the scheme.
Bad actors can use BEC attacks to accomplish a variety of goals. One common move is to take over a governmental email account from an entity like the Internal Revenue Service, then trick the user into paying out supposed “penalties” to avoid legal action.
BEC impacts business too, though. Fraudsters may try to trick employees into transferring funds to their account, or even handing over sensitive customer information. Insurance giant AIG recently released data indicating that BEC-related insurance incidents were the top cyber-insurance claim filed by companies in 2018.
BEC can be damaging enough on its own. But more and more, BEC attacks are compounded by another consumer-facing fraud threat, ultimately hurting consumers and merchants alike.
BEC and Gift Card Fraud: A Dangerous Pair
Gift cards are extremely popular among consumers. They were a $160 billion market in 2018 just in the U.S. alone. That same year, 55 percent of consumers surveyed reported they were interested in giving or receiving digital gift cards that can be added to a mobile app or digital wallet.
The widespread popularity of gift cards has a downside, though, as fraudsters often use gift cards as a convenient method to cash-out after pulling off a scheme. Remember that IRS impersonation example mentioned earlier? Well, it’s not uncommon for criminals to demand payment from victims in the form of a digital gift card.
The cards are widely accepted, equivalent to cash, and mostly anonymous, making them very useful for fraudsters. The fraudsters can either use the gift cards themselves, or they can resell the cards.
This isn’t speculation; it’s a well-documented problem in the e-commerce market. One report recently released by Agari shows that gift cards are connected to roughly two-thirds of all BEC attacks. And, considering that BEC has resulted in $26 billion in losses since 2016, that translates to several billion dollars every year.
Although customers may pay for BEC fraud initially, the cost often gets passed along. The customer, looking to recover the money lost, may file a chargeback by claiming that the transaction was unauthorized. This is an example of what we call “friendly fraud,” or chargeback abuse, because even if fraud took place, the customer still authorized the transaction. Though not eligible for a chargeback, they file disputes anyway. The end result: you pay for the fraud loss.
How to Identify and Prevent BEC Attacks
There are two primary fronts on which you must contend with gift card fraud enabled by business email compromise. First, prevent fraudsters from taking over your email address, then prevent your gift cards from becoming a target of fraudsters.
On one hand, it’s now possible to make multifactor authentication on all company devices a reality. This would significantly reduce the risk of bad actors gaining access to a legitimate email account; of course, it won’t necessarily have much impact on AI tools used to spoof email accounts.
It’s also important to adhere closely to PCI compliance standards. Requiring employees to lock their computer any time they step away from their desk, for instance, is a basic security best practice that may cut down on the threat of accounts getting hijacked. Other best practices include:
- Requiring employees to use their own login credentials at all times.
- Demanding strong, unique passwords that change on a regular basis.
- Logging all authentication requests and watching for suspicious devices or IP addresses.
- Flagging suspicious emails on your network to review the content.
It may also be a good idea to look into securing cyber liability insurance for your business. This way, even in the event of a breach tied to BEC, you could be insulated from the worst impacts.
Of course, defending against internal BEC is only one part of the equation; as mentioned, you need to ensure your gift cards are being purchased for legitimate purposes. If, for example, you notice a new customer purchase a high-dollar value gift card, that should be regarded as suspicious. The best option is to try to manually verify such transactions, ensuring your customers are legitimate.
The only way to completely eliminate BEC-enabled gift card fraud would be to stop issuing gift cards entirely. Given the popularity of gift cards, though, that’s obviously not a desirable solution. But, by embracing fraud mitigation best practices, you can keep successful fraud attacks to a minimum.
Have you read?