Avoiding Business Email Compromise Schemes

Credit unions are very familiar with information security. Since 2001, the federal Gramm-Leach-Bliley Act has required credit unions to establish and maintain various safeguards to protect “nonpublic personal information” (NPI) of its members. Credit unions must establish administrative, technical and physical safeguards for NPI in order to: 1) Insure the security and confidentiality of NPI, 2) Protect against anticipated threats or hazards to the security or integrity of NPI, and 3) Protect against unauthorized access to or use of NPI that would result in substantial harm or inconvenience to a member.

And while requirements of the GLBA have not changed, the way consumers and credit unions communicate and transact business is quite different than in 2001. Most (if not all) business transactions are now conducted using digital technology and electronic communications, and as a result are subject to a host of cyber-threats. And these transactions utilize not just the networks and communications of credit unions, but also those of their members and vendors.

The networks, devices (laptops, tablets, handhelds and scores of internet-connected appliances), and ubiquitous connectivity (5G, Wi-Fi) that offer so many possibilities and so much convenience for consumers also create more security vulnerabilities and potential threats for credit unions to manage. Credit unions connecting with the networks and devices of their members and third-party vendors to do business must ensure that NPI continues to be protected, and cannot assume that new forms of communication are secure.

The prevalence and cost of business email compromise (BEC) schemes demonstrate just how connected credit unions and their members have become, and further that electronic communication is not secure by default. The strategies and controls helpful in preventing BEC scams serve as a reminder that credit unions must always be improving their information security programs as new threats emerge – and encourage their members and vendors to do the same.

What Is the BEC Threat?

A BEC is a scam targeting businesses and individuals performing wire transfer payments. The email account compromise (EAC) part of BEC targets individuals who perform wire transfer payments. In 2018, the FBI’s Internet Crime Complaint Center (IC3) received 20,373 BEC/EAC complaints with adjusted losses of over $1.2 billion. In 2018, BEC was the crime with the highest reported loss, according to the IC3.

The BEC scam is often carried out when a subject compromises legitimate business email accounts (often those of credit union members, or vendors with whom members and credit unions do business) through malware (computer intrusion techniques), spoofing email addresses or social engineering. The result is an unauthorized transfer of funds.

These schemes constantly evolve, and have involved the hacking or spoofing of email accounts of CEOs and CFOs, the compromise of personal emails and vendor emails, spoofed law firm email accounts (a favorite in real estate transactions), and requests for W-2 information. In each such evolution, the scammers seek to use authority (an email that looks legitimate) and urgency (“we need this immediately”) to effectuate fraudulent transfers.

Addressing the BEC Threat

Note that the BEC scam does not target the credit union’s network, but instead the vulnerabilities of other companies (networks susceptible to malware, lack of established processes for wire transfers) and individuals (willingness to click on attachments and links from unknown senders, inability to detect spoofed emails or other indicia of these scams).

However, there are a number of steps a credit union can take to address the threats presented by a BEC scam:

1. Implement encrypted/secure email communications with members. As described above, traditional email communications can be compromised in a variety of ways: Email addresses can be spoofed; communications can be monitored; wiring instructions can be viewed and altered. Consider encrypting email transmissions with members (via secure portal or otherwise) when wire or other fund transfers are involved, or in any instance where NPI or other sensitive information is shared via email.

2. Adopt written funds transfer security procedures. Make clear with members how funds transfers will take place. In particular, specify a procedure to verify a change in payment type or location, and require that verification to be “out-of-band” – by phone call or in-person confirmation that does not take place via email. Consider a “call-back” verification procedure, an agreed-upon code phrase, or a specific “dual control” system where another person must confirm a transaction change. Do not share security procedures electronically, except via encrypted communications as described above.

3. Train appropriate credit union personnel and educate members. Conduct training for anyone who handles or oversees electronic funds transfers, and make those resources available to members. Encourage members to conduct daily payment activity reviews, patch and update their computer systems, and install and update anti-malware protection.

General NPI Protection Concepts for CUs, Members

Beyond specific procedures to address new and evolving threats, several broad principles can help credit unions improve their security posture and protect NPI:

1. Implement access controls. One potential threat to the security of NPI arises not from outside hackers, but from inside the organization. Access controls ensure the principle of least privilege – meaning an employee only has access to the information necessary for them to perform their job. Giving all employees access to NPI outside of their normal job function can create a potential cybersecurity event.

2. Evaluate relationships with vendors who may hold NPI. Exercise due diligence in selecting any third-party service provider that will have access to NPI, and require any such third-party service provider to implement appropriate measures to secure information systems and nonpublic information. A written agreement between the credit union and any third-party service provider is necessary to set out appropriate obligations and remedies.

3. Protect NPI when stored and shared. As set out above, consider encrypting NPI when communicating over an external network. Does NPI travel outside the credit union while stored on a laptop computer or other portable computing or storage device or media? If so, then consider encryption or another protection mechanism for that NPI. Likewise, if employees work remotely and have access to NPI, secure those remote connections into the credit union network.

Security Is an Ongoing Process

The pace of change in computer technology and communications can be bewildering at times. However, identifying and understanding the risks involved in protecting NPI, and the tools available to credit unions to address those risks, help make this ongoing process more manageable.

Jack Pringle is a Partner at Adams and Reese. He can be reached at 803-343-1270 or jack.pringle@arlaw.com.