Cybersecurity and Fraud Protection
What to Know About Detecting Compromised Emails
Criminals continue to refine their methods and targets for cyberfraud attacks like business email compromise, but there are steps you can take to help protect your organization.
As criminals expand targets for cyberfraud attacks by posing as executives of companies or vendors, JPMorgan Chase & Co. developed a process to help clients protect themselves from business email compromise (BEC) attacks.
These cyber attacks increasingly include the use of domains and associated email addresses, often referred to as “lookalike domains,” that are very similar to those of victim companies. By leveraging technology solutions in unique ways, the firm’s cybersecurity team created a proprietary process—currently pending before the US Patent Office—that can potentially detect the use of client lookalike domains. For example, criminals might use “wibgetcompany.com” to target the legitimate domain widgetcompany.com.
Clients are notified of domains that closely resemble their corporate domains and receive information about tools that can help them protect their employees and accounts from BEC attacks.
“We saw an opportunity to enhance our cybersecurity program by analyzing client data in a different way,” said Matt Zames, the firm’s Chief Operating Officer. “This process reflects our commitment to battling cybercrime and our focus on technology to help our clients.”
The Rise of Email Scams
The 2017 Association for Financial Professionals Payments Fraud and Controls Survey reports that 74 percent of finance professionals surveyed said their organizations were targets of BEC in 2016, an increase from 64 percent in 2015. Large organizations with more than 100 payment accounts continue to be more likely than other organizations to report potential financial loss in the highest dollar range.
“Business email compromise really focuses more on human nature than technology, although there is a technology component to it,” said Anish Bhimani, Commercial Banking’s Chief Information Officer. “Criminals are counting on the fact that people may not be paying close attention to an email, and may be reluctant to call a manager or senior executive to validate those instructions.”
Lookalike Domain Process
The lookalike domain process is just one part of the firm’s substantial investment in cybersecurity, which includes a “Follow the Sun” model with three Cybersecurity Operations Centers in New York, London and Singapore, as well as a dedicated team of more than 1,000 employees.
The firm’s lookalike domain process uses specialized logic to continuously analyze new domains to find those that resemble clients’ registered domains, and it is able to sort visually similar domains. These sorted domains are provided to Commercial Banking and Corporate & Investment Bank Operations and Service teams so clients can be alerted and apply best practices when executing payments.
“Fundamentally, it’s a three-step process,” said Rohan Amin, the firm’s Global Chief Information Security Officer. “Criminals register a malicious lookalike domain. We apply the analysis process and, if possible, detect a lookalike registration. Then we take steps to mitigate risks internally and notify clients as appropriate.”
Lookalike domains may include an array of methods with anomalies like character substitution. Often a client’s employee believes he or she is receiving an email from within the organization.
“A one-letter difference in the address can be all a criminal needs to convince an unsuspecting client to transfer funds to the criminal’s account,” said Josh Pope, Corporate & Investment Bank Operations Executive. “If we can spot those subtle changes early, we can help our clients and protect the firm.”
Clients appreciate being notified about the possibility they may be targeted, Pope said. “Recently, our team alerted a Commercial Banking client about a lookalike domain. The client later received a fake email with payment request, and they did not fall for the scheme.”
The Role of Social Media and Company Websites
Criminals have expanded BEC attacks by searching social media platforms to identify specific payment controllers through a user’s job title or profile. Other methods include researching a firm’s website to learn the members of the management team or impersonate the company’s CEO by mimicking their written and verbal communications style. By impersonating a client vendor with an email tied to a lookalike domain registration, cyber criminals can request changes to routing or account details in an attempt to steal funds.
Practices to Help Avoid BEC
Cyber experts advise companies to implement practices to help avoid BEC-related emails by verifying instructions in person or by using a known telephone number, internally and with vendors, and if an attack does occur, to escalate right away. Clients that notify the firm within “the golden hour” after an attack have a better chance of recovering stolen funds before the transactions move between countries and people.
“Payments often are settled in a few minutes and cyberfraud can take place just as quickly. If fraud is detected days later, it can be extremely difficult to recover stolen funds,” said Lester Owens, Corporate & Investment Bank Global Head of Wholesale Banking Operations. “We tell our clients that it’s very important to validate and authenticate who you’re communicating with when processing payments, and to waste no time reporting to your bank when you discover fraud or theft.”