"Business e-Mail Compromise"

"There is no such corrupting lie as a problem poorly named."  --source unknown

I cannot remember where I learned; Google recognizes it, but merely speculates as to its origin.  However, I am sure that I have been using for half a century.  

An applicable example is naming vulnerabilities after their method of attack.  For example "sequel injection" rather than "unchecked input."  The name tells one nothing about the vulnerability or how to mitigate it.

However, my all-time favorite is, the subject of this post, business e-mail compromise which suggests that somehow or another that e-mail is, or has been, attacked and breached.  Now, I admit, all my readers know what it refers to, but consider the poor novice, who might be led to worry about e-mail.  

Not to worry, the e-mail system is not broken, has not been breached, is working exactly as intended.  Messages are being delivered to the intended recipient.  The messages have not been altered or disclosed.  The problem is not, as its name implies, with the system.  

The problem is that the message is false and intended to defraud.  It often appeals to urgency but it does it appeals to human nature and to weak of not existing internal controls.  The problem is not with the medium but with the content, not with the messenger but with the message.  There is no change or mitigation to the system that is required.  

E-mail is coincident to the problem it is just how modern business communicates.  I admit to being sensitive; in a much earlier era, I, the messenger boy was how business communicated.  I can imagine messenger boy compromise but the image would not lead one to the problem or the solution.  

The typical BEC fraud posits some kind of emergency and urges the officer receiving it to send money to the author of the message, often by digital currency or to a bank account opened recently by the perp for the sole purpose of receiving the payment.  

The business should have controls in place that specify who must authorize payments and the officer(s) who can make them.  They should have controls that specify who they do business with and at what address they will receive payment.  There should be a delay before payments can be made to new business partners.  They should consider controls that require dual authorization of payments, if not for all payments, for all those in the top ten percent by amount, or that are exceptional in any way.

The officer who actually makes the payment should seek out-of-band confirmation for large payments, those that are urgent or exceptional in any way.  Pick up the GD telephone!

The bank should consider out-of-band confirmation, or involve an officer, for unusually large transactions.  They should also restrict withdrawals, cash or electronic from newly opened accounts; exceptions might be made for well-known and established customers.  

There is one other way of getting payment that  works for small amounts from individuals or small businesses, the gift card.  The instruction is to go out and buy gift cards and give their numbers to the perp.  

Once one gets past the name to the real problem, one can think of myriad controls that will limit the risk.  If one focuses on fraud rather than e-mail, one will resist fraudulent messages, by whatever means delivered, for example by telephone messages crafted using AI in the voice of authority.