Are you protected from Business Email Compromise fraud?
Updated: Sep 9, 2020
In the very early days of my new venture, when I pitched our new technology to some of my closest industry colleagues, every one of them asked me the same question: “Can you think of a way to use this technology to solve Business Email Compromise (BEC) fraud?”. I love challenges...I’ll answer that later in this post.
Were you ever a “victim” of a prank in which someone sent an email from your computer to your colleagues as if it was you who sent it? Often, this is just a prank, no harm done. But in circumstances where a malicious actor gets physical or digital access to your email account or to the accounts of those you communicate with, this could lead to serious business issues with devastating financial or otherwise negative impact.
If you are not too familiar with BEC (aka wire fraud, payments fraud, invoice fraud, email account compromise) the FBI website is probably a good place to start.
As with any digital systems, the practical challenge that BEC presents is once again, the challenge of trust: can you trust the emails you get from your colleagues, vendors and customers? But unlike digital systems, such as banking, the tools businesses have at their disposal to authenticate emails are limited.
The current approach relies on employee training, manual verification (aka callback) and email scanning tools that attempt to detect fake / malicious emails. Add insurance coverage and finger crossing and you are well protected.
Well, not really.
The reality is that none of these tools and processes addresses the root cause of the scam - the ability of a scammer to send the fake email in the first place. Instead the focus is on detecting malicious emails after they were sent. Furthermore, there’s too much reliance on people to identify malicious intent and follow manual procedures which is inherently wrong since these individuals are the actual targets. It’s just a matter of time before a business would become a victim of this scam.
Banks are also somewhat helpless in stopping the scam, for two reasons. The first is that they are blind to the initial step of the scam - the malicious communication that led their customers to initiate the fraudulent payment - so they can’t do much to prevent it.
The second reason is that even if they suspect a payment to be fraudulent, they have to deal with customers who are convinced the payment is legitimate and expect fast, and even real-time, processing.
So… we need a different approach. One that is more proactive and preventative vs. reactive and focused on detection. An approach that provides the ability to validate the authenticity of messages. To know who is the person, not the email address, behind every message you receive.
And this is exactly what we, at Obsecure, decided to do. We developed AuthenticMessage™, a messaging platform that guarantees the authenticity of every message you send and receive. No more impersonation or fake communication, only authentic messages.