Uncovering the Business Email Compromise

6/16/2020 10:30 AM

Higher ed has weathered its share of the more than 18,000 malicious phishing, ransomware, and fraudulent authorization attempts reported to the Federal Trade Commission during the COVID-19 outbreak. Our Summer Replay Series continues with an overview of online fraud and methods for fighting it. Prefer to listen? Here's the podcast link to "Uncovering the Business Email Compromise."


Tom Arnold, cofounder of Payment & Security Experts, explains the evolution of payment technology and the potential security risks of having an unprotected network. He dives into recent security trends specific to higher education institutions and discusses methods to avoid being a cyber fraud victim. He specifically highlights email phishing threats to universities and precautions campuses can take to avoid being hacked.

Evolving fraud requires evolving security

From the early days of the internet, Arnold and his team have been fighting internet fraud. As the internet has advanced, so has cyber fraud. From fake memorabilia auctions to identity theft, Arnold has seen it all. Security measures to combat these threats have also evolved. In recent years, the implementation of EMV chips on credit cards has greatly reduced identity theft.

On the flip side, EMV chips have increased fraud in electronic commerce and automated teller machines. Arnold recognizes that there will never be an end to fraud, but by taking the correct precautions large organizations and institutions can lower their risk of becoming an online victim.

Higher education institutions and universities have become a very large target for cyber fraud in the electronic commerce realm in the last few years. Criminals typically reach out to third-party content providers that then inject content into consumers’ browsers to capture private information.

Another common trend in online fraud is compromising business email. Many times, email servers are overlooked and end up under-protected, which then creates opportunities for cybercriminals to fake emails from institutions or universities. This technique, known as email phishing, enables perpetrators to steal funds and personal information from consumers. The prevalence of email phishing is evidence that a simple username and password are no longer enough to keep email servers secure.

Fighting fraud with authentication and awareness

To prevent security breaches, Arnold makes several recommendations:

  1. Use multi-factor authentication to verify the identity of users logging into their online accounts. Sending a code to the user’s cell phone is one authentication method.
  2. When users log in on devices outside of the secure network, it is important that they are notified, either in an email, text, or notification.
  3. Institutions and universities should encourage their users to call in to validate suspicious emails before providing personal information online.
  4. Lastly, having a dual-control system in place on the department level to validate any changes to financial information is another fraud prevention method. Arnold suggests any transaction over $10,000 should be personally followed up and confirmed by the Accounts Payable Department. If fraud is detected, contact law enforcement immediately.

Regardless of the cybersecurity threats that exist, Arnold still feels confident using online payment methods. With a few simple precautions, consumers and organizations can avoid much of the associated risks.