Business Email Compromise: The Art of Deception
Written by Alicia Buttchen, Assistant Vice President - Treasury Management
As the number of connected devices continues to rise — 8.4 billion in 2017, up 31% from 2016 — so does the sophistication of cybersecurity threats. Using the age-old art of deception, criminals use a variety of methods to compromise business email accounts, from phishing emails and social engineering to email spoofing and malware. The threat of business email compromise spans across all industries, from retail, to healthcare, to manufacturing, to financial institutions, to not-for-profits, no matter the size or geographic location.
The yearly Association for Financial Professionals (AFP) Payments Fraud and Control Survey reported that in 2016, 74 percent of companies were targets of payments fraud, an increase from the year prior. The AFP also reported that 74 percent of companies stated that they were victims of business email compromise (BEC), an increase of 10 percent from the year prior, resulting in an increase of payments fraud – wire transfer payments were impacted the most. The FBI reported that losses connected to BEC skyrocketed more than 2,000% since 2015, with more than 400 companies targeted on a daily basis. In 2017, 38% of victimized companies were small or medium-sized businesses spanning all industries. More than 200 employers fell victim to rapidly increasing BEC W-2 scams, compromising their employees’ personal information.
In today’s digital age, business email compromise is increasingly common in payments fraud. Wire transfers continue to be the primary focus, though checks and ACH are targeted to a significant extent as well. Wire transfers continue to be an attractive target of fraudulent activity due to the speed and finality of payment as well as the lack of internal controls and employee education. Fraudsters know that wired money is nearly impossible to recover due to immediate settlement and availability of those funds. Business email compromise and wire transfer fraud is an epidemic that is reaching historic levels throughout the world.
How BEC works. The fraudsters often monitor and study their intended victims by learning their behaviors, the key players involved, and the protocols necessary to initiate wire transfers, before initiating a scam. In some cases, BEC victims report that they experienced various cyber intrusions immediately before a BEC incident, often initiated through a phishing email containing a malicious link. Fraudsters pose as a person with whom you have gained trust, an executive of your company, a reputable vendor, an attorney, or government agency. They send a fake, urgent request instructing you to wire funds immediately to payment instructions they provide. Employees who fear upsetting management, don’t have access to management, or believe they are receiving the request from management, are less likely to question suspicious activity and more likely to complete the request. Unfortunately, victims don’t realize they were duped until it is too late.
See three real examples of wire transfer fraud in “Business Email Compromise Fraud: 3 Real Case Studies.”
Now more than ever, companies need a plan of action to mitigate the risk of fraud. Education and training programs are key. The Association of Fraud Examiners (ACFE) and The Federal Communications Commission (FCC) offer training resources to include videos, tutorials and fraud prevention checklists, to educate the public on cybersecurity. Resources such as www.onguardonline.gov are available on First Business’s website as well (www.firstbusiness.com).
It is unfortunate that fraud is becoming a common occurrence not only locally but globally. It is not a matter of if anymore, but a matter of when. Review your fraud health to determine where you have gaps and what you can do to improve your controls. Fraud doesn’t need to happen to your company. You must be proactive about cybersecurity and talk to your trusted treasury management professional about the steps you should take to protect your company. Start here with our fraud protection checklist.
To learn more about Business Email Compromise and how to protect your company, visit our business email compromise articles: