How Does Business Email Compromise and the Recent LastPass Security Breach Affect you?

Fraud is always a hot topic, especially during holiday and tax seasons. Every person and business is at risk of fraudulent activity or a security breach through personal accounts, vendors, and other organizations they work with. Recently, LastPass announced it experienced a security breach. LastPass is a password management software that helps you manage the many usernames and passwords you may have. Fortunately, this security breach did not compromise customer information or their actual passwords. If you or your business does experience a breach, consider these steps to help minimize exposure.

Another scam that has been occurring at a rising rate is Business Email Compromise/Email Account Compromise (BEC/EAC). The scam happens when a bad actor compromises legitimate business or personal email to conduct unauthorized funds transfers. You can read more about what BEC/EAC is by reading our previous blog: Phishing Scam Business Email Compromise.

Some examples of what a BEC/EAC scam could look like are:

• Spear Phishing emails: These emails look like they’re from a trusted sender to trick you into revealing confidential information. The information the scammers access can be your company’s account information, calendars, logon credentials/passwords, and any data that gives the scammers the details they need to carry out their schemes.
• Spoof an email account or website: Spoof emails are fraudulent emails that closely mimic a legitimate email request. These fraud email requests are well-worded and specific to the business being victimized. Some examples include:
  • A request for an “Urgent Wire Transfer” or a “Delinquent Invoice”; Often, these requests instill a sense of urgency or action that needs to be taken immediately
  • A business, homebuyer, or Bank receives a message from what appears to be a customer/vendor with instructions to wire funds or send an ACH for an invoice, escrow closing, or some other monetary payment.
  • A company CEO asks his assistant to purchase multiple gift cards to send out as employee rewards. He asks for the serial numbers to email them out immediately.
• Use of malware: Malware can break into company networks and access legitimate email threads about billing and invoices. Once they have that information, it’s used to time requests or send messages, so accountants or your finance team don’t question payment requests. Malware also lets criminals gain undetected access to your data, including passwords and financial account information.

What can you do if you think you’re a BEC victim?

• Work with your IT Team to verify the extent of the hack.
• File the BEC incident with the Internet Crime Complaint Center (IC3) at www.IC3.gov – Be descriptive and identify your complaint as “Business Email Compromise.”
• Contact the local FBI Field Office to report the crime.