The U.S. Federal Bureau of Investigation warns that Business Email Compromise (BEC) scams are on the rise.1 Its Internet Crime Complaint Center received 21,832 BEC compliants in 2020, with the total value of funds redirected to scammers reaching $2.7 billion. The scam has been reported in all 50 states and 177 countries. Many of the scammers are based in other countries, and fraudulent funds transfers have been sent to at least 140 countries.

What is a BEC?

BECs typically target companies that make routine wire transfers to foreign suppliers and businesses. A company will receive a transfer request via email from what appears to be a high-level executive or a supplier. However, the request is actually coming from a hacked email account, or an account that has been “spoofed” to appear legitimate.

In most cases, BECs begin with a criminal sending a phishing email to a company employee and gaining access to his or her email account. For an extended period of time—sometimes several months—the fraudster will monitor that employee’s email and determine who initiates wires and who requests them. Over time, they become skilled at learning employees’ schedules, personal relationships in the office, and even their style of writing so they can expertly mimic an email an executive might actually have sent. From there, they’ll either spoof an email or create a domain name that’s close to the company that they are targeting.

The next step is to wait until the CEO or other executive is away on an overseas business trip, at which time they’ll send an email impersonating them. It may say, “Hey, we’re acquiring a company over here. I need you to transfer $150,000 right away to this bank in this country.”

BECs don’t always consist of a fraudster impersonating a CEO or CFO. They may also impersonate companies’ suppliers, sending them new payment instructions so that a routine transfer will be sent to a new account. They may copy the suppliers’ logo and email formatting, and send an email saying, “We have a new bank account; please send wires to this account in the future.” If it looks legitimate, the employee in accounts payable might not suspect anything until the actual supplier asks why he hasn’t received his money.

The FBI warns that the real estate sector is increasingly popular with BEC scammers, since proceeds from property sales are often sent by wire. Victims include title companies, law firms, real estate agents, and property buyers and sellers. Money from the sale of a property can be directed to a scammer’s bank account instead of going to the seller.

Another scam involves misdirection of payroll funds. In a typical example, HR or payroll representatives receive emails appearing to be from employees requesting to update their direct deposit information for the current pay period. The new direct deposit information generally leads to a pre-paid card account.

Small Business Beware

While large corporations appear to be picking up on the BEC scam threat and taking steps to mitigate it, smaller firms are a different story. Large companies usually have a procedure in place that requires at least two people to sign off on these types of wire transfers, but small to medium-sized businesses may not have these safeguards in place. So when an email from the CEO arrives, people tend to think, “This is the boss; I had better do what he says.” Statistics show that about 30 percent of employees of SMBs who get these types of requests actually transfer the money, and it’s extremely unlikely that they’ll get any of it back.

How to Help Protect Your Company

What can businesses do to help protect themselves from BEC scams? Here are some suggestions:

  • Carefully scrutinize all email requests for funds transfers to determine if the requests are legitimate. If it’s supposed to be coming from ABCCompany.com, but the link says ABCCCompany.com, you can be pretty sure it’s not from ABC Company. 
  • Confirm requests for funds transfers from suppliers. When verifying by phone, use previously known phone numbers and not the numbers provided in the email request.
  • Watch for urgent or “secret” requests—particularly when they come from an executive who is absent. The request usually comes on a Thursday or Friday, or right before a holiday weekend when the company is short-staffed and the person who is supposedly sending the request is usually not in the office. A secretive request should be a big red flag: “We need to make this important payment right now and it’s confidential; don’t tell anybody.”
  • Test your staff. Instead of an annual meeting warning about attacks, train them online in the browser, then regularly send them simulated phishing attacks and see how they respond.
  • Set up a dual-approval process for all wire transfers, so two people are needed to verify payment instructions. The business owner or CEO should be one of the approvers, if at all possible. To make this process more convenient, Treasury Internet Banking from Nevada State Bank allows payment approvals via mobile device.

Check out other tools available from Nevada State Bank, including ACH Positive Pay and other suggested measures to help reduce your risk of fraud.

A simple email could be all it takes to wipe out thousands or even millions of dollars from your company’s bank account, and it may not be covered by insurance. Fortunately, with good policies and training in place, you can help prevent a fatal mistake.

 

1. https://www.ic3.gov/Media/PDF/AnnualReport/2022_IC3Report.pdf