Page 25 - AASBO Winter 2019.indd
P. 25
BY JOHN FLANDERS
e ABCs of BEC — Business Email Compromise
In years past, hackers had to in ltrate computer networks services (e.g., construction, janitorial services) or purchases (e.g.,
to steal funds or sensitive information. By updating their vehicles, playground equipment). Alternatively, an employee
methods, online criminals are increasingly able to achieve their may receive an email from a “vendor” — really, a hacker
unscrupulous ends through simpler avenues. Unfortunately, pretending to be a vendor — containing an invoice attachment.
these crimes are not something that happens to someone else. Opening the attachment starts the infection process, resulting in
For example, Arizona school districts have reported a number malware being downloaded. e malware can infect the entire
of such attacks to their property and liability coverage provider, network, making it inaccessible. When this occurs, instructions
the Arizona School Risk Retention Trust, Inc. (the Trust). Many are often given on how to make payments to the hacker to
of these reports have involved nancial losses. decrypt the computer or network. Some malware, too, has the
The general name for these attacks is “Business Email ability to obtain credit card or banking information.
Compromise” (BEC). A BEC scam is an attempt to persuade Finally, the most common method of stealing sensitive
someone within an organization to: (1) conduct an authorized information from school districts is through an email request
transfer of funds; or (2) provide information that will allow for W-2 forms around the time they are prepared. In most
for such a transfer. Earlier this year, the Federal Bureau of cases, a Human Resources Department employee receives
Investigation announced that these crimes have cost businesses an email from someone posing as the superintendent. e
$12.5 billion worldwide. “superintendent” requests a copy of W-2s for all employees.
When targeting schools and other organizations with a If the employee acquiesces to the request without first
BEC scam, the hacker uses a technique known as “social con rming its legitimacy, personally identi able information
engineering.” is involves drafting an email to one or more is released. is triggers noti cation requirements and other
employees that appears to come from someone within the expensive protections for victims, such as legal services and
organization. at person — really, the cyber criminal posing credit monitoring.
as that person — asks the employee to verify log-in credentials School districts should be on high alert for BECs and other
or take a brief survey that requires the sharing of sensitive email scams. is means raising awareness of such scams with
information. ese requests often contain a web link to a fake employees and training them to look for indicators of fakery
website built to look like the school’s portal. when asked to send money or sensitive information. Employees
is scam works all too often because the return email should be instructed to look closely at the email address
addresses used are similar to the organization’s site address (not just the name) of the sender, and to check for grammar
(e.g., “@schooldistrict.org” vs. “@schooldistrict.com”; or “@ mistakes in an email. Employees should also be informed not to
arizonaschooldistrict.edu” vs. “@azsd.com”). Sometimes click on web links, especially ones that request that they verify
the hacker simply creates an email address using a popular their log-in and password information. Finally, employees
email service provider (e.g., “HRdirector@gmail.com” or should keep this telltale sign in mind: More often than not, a
“Superintendent@aol.com”). criminal request will stress the urgency of sending money or
Using this basic approach, hackers have a variety of information quickly (e.g., by noon, by close of business, “before
techniques available to them. A hacker might, for example, you go home”). A bogus request may also include instructions
request the credentials for a payroll account. With those not to call the person asking for information.
credentials in hand, he or she changes the direct deposit If a fraudulent transfer has already been made and discovered,
information so that the money is directed to another nancial the district’s nancial institution should be called immediately,
institution or to prepaid cards. e crook may then withdraw and a request should be made for a recall of the funds. Time is
the money from ATM machines or use the cards to make of the essence. In some cases, some or all of the funds may not
purchases. have been withdrawn yet. Similarly, in the event of an actual or
A related scam involves sending an email request to update suspected scam, the district’s technology department should be
banking information for direct deposits. Again, the email made aware so that it can block further attempts.
appears to come from a district o cial; in one case known to
the Trust, it was designed to look as if it was from the district If you have questions regarding the contents of this article, or
superintendent. you would like to know how the Trust can assist your district in
Another type of BEC involves a wire-transfer scam that addressing the threat of cyber crimes, please contact your Trust
attempts to trick someone into issuing an electronic payment for member services coordinator at (800) 266-4911.
WINTER 2019 | THE EDGE 25
