Business Email Compromise: The Art of Deception
Written by Alicia Buttchen, Treasury Management Officer
As the number of connected devices continues to rise — 8.4 billion in 2017, up 31% from 2016 — so does the sophistication of cybersecurity threats. Using the age-old art of deception, criminals use a variety of methods to compromise business email accounts, from phishing emails and social engineering to email spoofing and malware. The threat of business email compromise spans across all industries, from retail, to healthcare, to manufacturing, to financial institutions, to not-for-profits, no matter the size or geographic location.
The yearly Association for Financial Professionals (AFP) Payments Fraud and Control Survey reported that in 2016, 74 percent of companies were targets of payments fraud, an increase from the year prior. The AFP also reported that 74 percent of companies stated that they were victims of business email compromise (BEC), an increase of 10 percent from the year prior, resulting in an increase of payments fraud – wire transfer payments were impacted the most. The FBI reported that losses connected to BEC skyrocketed more than 2,000% since 2015, with more than 400 companies targeted on a daily basis. In 2017, 38% of victimized companies were small or medium-sized businesses spanning all industries. More than 200 employers fell victim to rapidly increasing BEC W-2 scams, compromising their employees’ personal information.
In today’s digital age, business email compromise is increasingly common in payments fraud. Wire transfers continue to be the primary focus, though checks and ACH are targeted to a significant extent as well. Wire transfers continue to be an attractive target of fraudulent activity due to the speed and finality of payment as well as the lack of internal controls and employee education. Fraudsters know that wired money is nearly impossible to recover due to immediate settlement and availability of those funds. Business email compromise and wire transfer fraud is an epidemic that is reaching historic levels throughout the world.
How BEC works. The fraudsters often monitor and study their intended victims by learning their behaviors, the key players involved, and the protocols necessary to initiate wire transfers, before initiating a scam. In some cases, BEC victims report that they experienced various cyber intrusions immediately before a BEC incident, often initiated through a phishing email containing a malicious link. Fraudsters pose as a person with whom you have gained trust, an executive of your company, a reputable vendor, an attorney, or government agency. They send a fake, urgent request instructing you to wire funds immediately to payment instructions they provide. Employees who fear upsetting management, don’t have access to management, or believe they are receiving the request from management, are less likely to question suspicious activity and more likely to complete the request. Unfortunately, victims don’t realize they were duped until it is too late.
There are countless examples of companies falling victim to wire transfer fraud. You can see three real examples outlined in our article “Business Email Compromise Fraud: 3 Real Case Studies.”
Now more than ever, companies need a plan of action to mitigate the risk of fraud. Education and training programs are key. The Association of Fraud Examiners (ACFE) and The Federal Communications Commission (FCC) offer training resources to include videos, tutorials and fraud prevention checklists, to educate the public on cybersecurity. Resources such as www.onguardonline.gov are available on First Business’s website as well (www.firstbusiness.com).
It is unfortunate that fraud is becoming a common occurrence not only locally but globally. It is not a matter of if anymore, but a matter of when. Review your fraud health to determine where you have gaps and what you can do to improve your controls. Fraud doesn’t need to happen to your company. You must be proactive about cybersecurity and talk to your trusted treasury management professional about the steps you should take to protect your company.
Protecting Your Business:
- Avoid free, web-based email accounts.
- Monitor content on corporate social media accounts, particularly job duties/descriptions, hierarchal information and out-of-office details.
- Raise suspicion about a request for secrecy or pressure to take action quickly.
- Flagging any request from vendors, suppliers, or customers involving payments that suddenly change instructions, such as asking to route email through a personal email address or payments to a different bank account.
- Consider additional IT and financial security procedures, including two-step verfication.
- Out-of-band communication
- Digital signatures – don’t work with web-based email accounts.
- Delete spam
- Forward vs. reply
- Two-factor authentication for corporate email accounts.
- Enact rules that flag emails with extensions similar to company email.
- Register ALL company domains that are slight variations of your actual company domain.
- Verify changes in vendor payments by adding two-factor authentication, such as a secondary sign-off outside email from specially designated personnel.
- Confirm requests for funds transfers using a method such as a phone call to a phone number in your system, other than email.
- Pay attention to your customers’ routines, including the details and amount of payments.
- Scrutinize all emailed fund transfers.
What to Do if You Are a Victim:
- Contact your financial institution immediately!
- Contact your local FBI office.
- File a complaint, regardless of monetary loss, at IC3.gov.
Best Practices to Mitigate Payments Fraud:
- Always verify the authenticity of the payment request. Call back the person who is requesting the payment from a known phone number.
- Implement a call-back verification process when setting up payment instructions for a new vendor or making changes to payment instructions for an existing vendor.
- Implement dual control and segregation of duties.
- Education is key! Understanding email scams and educating your employees is critical in protecting your financial assets.
- Test your fraud health.
- Implement a cybersecurity policy and review it often.
- Review your business insurance policy. Does it cover financial losses due to cybersecurity fraud?
To learn more about Business Email Compromise and how to protect your company, visit our business email compromise articles:
At First Business, our commitment is to provide you with the solutions to mitigate financial fraud. Have questions? Contact me.