What is Business Email Compromise?

Business Email Compromise (BEC) is a common type of scam where attackers use email to trick their victims into performing a fraudulent financial transaction, such as purchasing digital gift cards, payment for goods or funds transfer. For increased credibility that the email is from a trusted source, attackers will usually use spoofed email addresses which look genuine (e.g. xxxhead@nus-edu.sg) to impersonate the sender, who is usually a person of authority within the organisation.

Unlike phishing emails, there are no links to click nor attachments to open in a BEC email. Should the victim reply to the initial email, the attacker will create a pretext over subsequent emails to gain the victim’s trust and request help urgently. Ultimately, they will try to convince the victim to perform a fraudulent financial transaction.

Recently, we have received reports of our staff and students being targeted by BEC emails. In most of these reported cases, the scammers attempted to trick our users into purchasing gift cards on their behalf (iTunes gift cards especially). We would like to remind you to stay vigilant and to avoid falling prey by spotting the following tell-tale signs.

What should I look out for?

• • – The initial email is usually short and innocuous, e.g. “Hello” or “Are you available”.
  • – The email is seemingly sent from a person of authority, e.g. your department HOD.
  • – The email is sent from a spoofed email address with the same name as the known individual but from a non-NUS domain, e.g. xxxhead@gmail.com instead of xxxhead@nus.edu.sg.
  • – The email is sent from a domain that looks similar to nus.edu.sg but with subtle differences, e.g. xxxhead@nus-edu.sg.
  • – Unusual requests over email, with no prior background or email exchanges.

What should I do?

1. Do not respond to these emails. Instead, report them using the “Report Phishing” button. Alternatively, you may contact IT Care at 6516-2080 or itcare@nus.edu.sg.
2. Do not be pressured into taking action, especially if the request is from someone of authority or has an element of urgency. These are common social engineering tactics used by attackers.
3. Do not download or install any software if requested.
4. Verify requests for financial transactions, especially unusual ones, using an alternative contact, preferably over the phone.

What if I divulged information or fell prey to a BEC scam?

If you performed a fraudulent financial transaction or accidentally divulged information of any kind, inform your manager immediately and:

• • – Report to NUS IT
  • – For personal data, also report to NUS Personal Data Protection Office

You may also contact IT Care via 6516-2080 or itcare@nus.edu.sg.

 

 

Let’s all work together to keep NUS secure, bIT by bIT.