What is Business Email Compromise?

Business Email Compromise (BEC) is a common type of scam where attackers attempt to trick their victims into performing a fraudulent financial transaction via email, such as purchasing digital gift cards, payment for goods or funds transfer. To increase the credibility, attackers will either use lookalike email addresses (e.g. xxxhead@nus-edu.sg) or fake personal email addresses that impersonate the sender, who is usually a person of authority within the organisation.

Unlike phishing emails, there are neither links to click nor attachments to open in a BEC email. Should the victim reply to the initial email, the attacker will create a pretext over subsequent emails to gain the victim’s trust and request help urgently. Ultimately, they will try to convince the victim to perform a fraudulent financial transaction.

Recently, we have received reports of our students being targeted by BEC emails. In most of these reported cases, the scammers attempted to trick them into purchasing gift cards on their behalf (iTunes gift cards especially). We would like to remind you to stay vigilant and to avoid falling prey by paying attention and spotting the following tell-tale signs.

What should I look out for?

• • – The initial email is usually short and innocuous, e.g. “Hello” or “Are you available”.
  • – The email is seemingly sent from a person of authority, e.g. your professor or intern supervisor.
  • – The email is sent from a spoofed email address with the same name as the known individual but from a non-NUS domain, e.g. xxxhead@gmail.com instead of xxxhead@nus.edu.sg.
  • – The email is sent from a domain that looks similar to nus.edu.sg but with subtle differences, e.g. xxxhead@nus-edu.sg.
  • – Unusual requests over email, with no prior background or email exchanges.

What should I do?

1. Do not respond to these emails. Instead, report them using the “Report Phishing” button. Alternatively, you may contact IT Care at 6516-2080 or itcare@nus.edu.sg.
2. Do not be pressured into taking action, especially if the request is from someone of authority or has an element of urgency. These are common social engineering tactics used by attackers.
3. Do not download or install any software if requested.
4. Verify requests for financial transactions, especially unusual ones, using an alternative contact, preferably over the phone.

What if I divulged information or fell prey to a BEC scam?

If you performed a fraudulent financial transaction or accidentally divulged information of any kind, inform the Dean’s Office of your faculty immediately. Please also report the incident to the following departments:

1. Campus Emergency and Security
2. NUS IT
3. NUS Personal Data Protection Office (if personal data was exposed)

You may also contact IT Care via 6516-2080 or itcare@nus.edu.sg.

 

 

Let’s all work together to keep NUS secure, bIT by bIT.