Independent school business officers are tasked with a wide range of responsibilities, including payroll, accounting, accounts payable, investments, and facility security. Unfortunately, many independent schools are unprepared to protect these departments from one of the less-heralded cyber threats. Business email compromise (BEC) may not grab the headlines like ransomware, but it can be just as disruptive and damaging to a school's finances. It is imperative that independent schools be aware of this threat and understand how to mitigate the risk it poses.
What Is BEC?
Generally speaking, BEC is most often a scam that involves convincing an individual, group, or business to transfer money unwittingly into an account controlled by a fraudster, rather than to the account of a legitimate business partner. Even if you have never heard of it, BEC routinely tops the Federal Bureau of Investigation's (FBI) yearly Internet Crime Report as the costliest type of crime. In fact, the FBI has estimated that BEC scams totaled over $43 billion globally between 2016 and 2021. These types of attacks are not limited to major businesses; they also target educational institutions, including independent schools. For example, in 2020, a Texas school district was victimized by a BEC scam that resulted in $2.3 million in losses. In 2022, the Department of Justice extradited a UK national for a $500,000 BEC scam committed against Virginia Commonwealth University (VCU).
How It Works
BEC scams have become increasingly sophisticated, and they may use several tools and tactics that prey on weaknesses in communications technologies and human psychology to accomplish their goals. While there are numerous variations of BEC scams involving different communications methods, here is how the more common email approach often works.
BECs typically start with a fraudulent email, which could be faked, or result from an account takeover. The former often comes from a spoofed email account, which is an account made to look similar to the real one. The latter requires criminals to gain access to a legitimate school email account of an individual within the business office, such as a chief financial officer. Alternatively, they may target a similar email account at a third-party partner of their intended victim organization. While they may gain access to this account by infiltrating the school's network, it is far more common for email account credentials to be phished through targeted social engineering.
Whether they gain access to the targeted email account or use a spoofed email account, criminals will then send legitimate-looking messages to relevant individuals within the compromised school or at the third-party partner. These messages may request that an invoice or upcoming payment be transferred to a new account, that sensitive business information be relayed in an unsecure manner, or any of a number of similar demands. To avoid notice, criminals may use the compromised email account to only gather information for their scam. They may ultimately send these fraudulent requests from a spoofed email account.
While often less technologically sophisticated than other cybercrimes, BEC scams are effective because they abuse the victims' trust in established communication systems and business processes, leverage information gathered through the compromised account to add credibility, and insert urgent messages into interactions. Furthermore, funds stolen through BEC scams tend to be quickly wired away or withdrawn to avoid recovery by the victim, and because the compromised account may not even be within your organization, cybersecurity software and tools by themselves can be of limited effectiveness.
How to Avoid It
As tricky as BEC scams can be, adequate implementation of the following prevention best practices will lower the risk of becoming a victim.
- As a potential target for BEC scams, independent schools should do their utmost to ensure their organization employs cybersecurity best practices to protect their own networks. For example, independent schools are strongly encouraged to enable phishing-resistant multi-factor authentication, establish phishing training, and promote security awareness. Useful resources on these issues are provided by the FBI, CISA, and the FTC.
- Ensure that processes are in place to independently verify requested changes to billing/invoice accounts. When possible, verify the legitimacy of requests in person or by calling a verified contact number.
- Be wary of and scrutinize unexpected or odd communications, for example, those that put an emphasis on acting quickly, that purport to be a home/personal phone number or email address rather than an expected business address, or that ask you to circumvent established processes. Additionally, don't click on anything in an unsolicited email or text message asking you to update or verify account information.
- Verify that wired/transmitted funds were received by the intended recipient.
What to Do If You Have Been Victimized
Time is of the essence in BEC scam situations, and it would be wise to have a response plan in place that outlines the immediate actions you should take if you have been victimized. First, contact your bank or wire transfer organization. Quickly contacting these entities to explain the situation may allow them to halt a transfer or freeze funds. Second, contact your legal team to explain what has happened, as they will be better positioned to know the available legal options. Last, unless your lawyer counsels otherwise, you should contact the FBI and file a complaint with the FBI's Internet Crime Compliant Center (IC3). Doing so may lead to the appropriate federal, state, local, or international law enforcement or regulatory agencies becoming involved.
While it is not impossible for banks or wire transfer organizations to recoup funds or halt unintended transfers if they are caught early enough, unfortunately, such outcomes are rare. Preventive measures and constant vigilance are the best ways to avoid becoming a BEC victim.
Venable's lawyers and cybersecurity experts are available to provide a host of legal and cybersecurity services. We are on hand to consult on general cybersecurity issues, help build out cybersecurity processes and policies based on industry best practices and international standards, and advise during incident response and recovery.