A human resources representative at a small mining company received an e-mail purporting to be from the CEO and requesting employees’ W2 information. That rep—who had been trained on the risk of e-mail fraud just a month earlier—complied, providing the requested data to the source via PDF.
The problem: It was a business e-mail compromise (BEC) scam. Because HR hadn’t taken the time to confirm the request, highly-sensitive employee data was now in the hands of fraudsters.
The potential fallout from such a mistake is significant. Employees of the breached organization and their families are now at risk, as the scammers could monetize the stolen information by filing false tax returns with workers’ compromised Social Security numbers, as well as access past tax filings to steal personal data on spouses, partners, and dependents.
With the employee having recently been trained on avoiding such scams, HR also could face challenges. Some are questioning how seriously the department takes security issues, and the trust that employees and the leadership team put in the organization’s HR professionals has taken a hit.
BEC scams have been around a long time but they’ve become more sophisticated in recent years. These old scams are getting new twists, largely due to social media and the widening availability of valuable business information. Hackers can now gather insight online into how a business is run and who’s who in the hierarchy.
Fraudsters are able to target their scams to specific individuals, using their names and sometimes even nicknames, and they know who in the organization is likely to have the authority to request highly sensitive information. They also know to hit a business when things are busy, impersonating high-ranking people within the company and quickly extricating cash or data while everyone is too swamped to notice.
The W2 scam is a popular flavor at the moment, but other common BEC variants involve requests for wire transfers of large sums of money—either to a third-party “business partner” or sometimes to the supposed requestor directly—or for help in accessing other valuable accounts or internal systems.
Even with their increasing levels of sophistication, these attacks can still be avoided. Fortunately, HR is perfectly positioned to deploy some choice strategies that can help prevent the organization from becoming a BEC victim.
The risks of BEC
Criminals stand to reap big financial gains any time an organization falls for a BEC scheme. Wire fraud losses, for example, vary widely. Some companies have been being impacted for as little as $5,000, others a whopping half a million dollars. These scams hit companies big and small, and the FBI’s figures show the average loss to BEC victims is $130,000.
Near-term monetary rewards are the primary objective in most BEC scams, but cyber thieves may also target valuable data such as bank routing numbers, personnel lists, or salary details.
Other threats associated with BEC include the compromise of network credentials, which are often heavily guarded and can be difficult and time consuming for criminals to crack. This makes gaining quick access to internal databases and financial systems a tantalizing prospect for a determined crook.
With a well-crafted BEC, it may be much easier for a cyber thief to trick an unwitting employee into divulging passwords and protected account information than it is to hack into a system the old-fashioned way.
Why is BEC a threat to HR?
Human resources typically holds a privileged position within the organization. Executives share highly sensitive information—strategic, legal, and financial—with HR. In turn, it’s not uncommon for an executive to request the assistance of HR in a matter that requires a quick response or discretion in seeking additional approval, and that trusted relationship is exactly what cyber-thieves prey on when executing a BEC scam.
Compounding matters is the fact that HR is often the gatekeeper for the types of data these criminals use to initiate their ruse. Human resources is commonly the department that verifies employment and maintains personnel records. They also often have contact information and other details about board members, another layer of data that cyber criminals sometimes target.
In all, these scammers count on the recipients’ fear of disobeying upper management and they know that targeting employees who handle sensitive data offers the best chances of success. This puts the bull’s-eye squarely on the HR department.
Preparing the HR team against BEC scams
A solid preparation strategy is key in the fight against BEC threats. Since BEC scams are caused by human error, rather than a technology weakness or sophisticated hacking techniques, they often fall into the gray area between the IT and HR groups. With its focus on human capital, HR can step up and play a critical role in minimizing exposure to cyber threats by educating employees on these avoidable threats.
The first tool HR should leverage is education, both within the department and across the rest of the company. Employees must be aware of the risk of BEC and have the knowledge necessary to avoid becoming a victim.
In addition, the entire workforce should know what to do if they suspect a BEC exposure has occurred. The steps to limit BEC risks aren’t complicated, but some may not be obvious to employees trying to quickly respond to what appears to be valid, time-sensitive requests from senior-level management.
First, advise the executive and leadership teams that they should only use their company-provided e-mail account for potentially sensitive work-related activities. On the flip side, warn employees about the dangers of acting on any message that originates from a Google, Yahoo! or similar free e-mail address, as it’s far easier to forge e-mails using a service that’s outside the IT department’s control.
Employees who would normally process wire transfers, vendor invoices, incoming customer payments, and employee payroll need to be on the lookout for changes to established routines. Put protocols in place that require workers to verify any modification regarding where vendor payments are sent or who has authorization to increase signatory levels. Multistep verification processes are encouraged for wire transfers so that fraudulent transactions can be spotted and stopped.
The HR team can take steps internally to help protect the organization from becoming a BEC victim. Cyber criminals commonly use social media to harvest data about which individuals would make good targets and how companies operate, and HR professionals must be judicious about posting information about employees or the company’s dealings. Personal information on high-ranking leaders should be kept to a minimum, but even knowing who to contact within the HR team could get hackers one step closer to successfully carrying out a BEC scheme.
Given the tremendous level of financial and reputational harm that could befall a company that’s stricken with a BEC scam, organizations may also want to consider additional support tools. Cyber liability insurance is available to help provide protection from monetary damages and many policies include proactive tools such as assistance identifying weak processes and educating employees about good information security practices.