The U.S. Federal Bureau of Investigation recently released a public service announcement warning that business email compromise (BEC) scams are on the rise.1 Calling this activity “a pervasive threat with significant financial losses and a considerable global impact,” the FBI reported that the total value of funds redirected as a result of BEC scams has now topped $12 billion. Between December 2016 and May 2017 there was a 136 percent increase in BEC scam losses across the globe, and instances of the crime have been reported in 150 countries and all 50 U.S. states.

What is a BEC?

BEC s target companies that make routine wire transfers to foreign suppliers and businesses. In a typical , a company will receive a transfer request via email from what appears to be a high-level executive or a supplier. However, the request is actually coming from a hacked email account, or an account that has been “spoofed” to appear legitimate.

In most cases, BEC s begin with a criminal sending a phishing email to a company employee and gaining access to his or her email account. For an extended period of time—sometimes several months—the fraudster will monitor that employee’s email and determine who initiates wires and who requests them. Over time, they become skilled at learning employees’ schedules, personal relationships in the office, and even their style of writing so they can expertly mimic an email an executive might actually have sent. From there, they’ll either spoof an email or create a domain name that’s close to the company that they are targeting.

The next step is to wait until the CEO or other executive is away on an overseas business trip, at which time they’ll send an email impersonating them. It may say, “Hey, we’re acquiring a company over here. I need you to transfer $150,000 right away to this bank in this country.”

BEC s don’t always consist of a fraudster impersonating a CEO or CFO. They may also impersonate companies’ suppliers, sending them new payment instructions so that a routine transfer will be sent to a new account. They may copy the suppliers’ logo and email formatting, and send an email saying, “We have a new bank account; please send wires to this account in the future.” If it looks legitimate, the employee in accounts payable might not suspect anything until the actual supplier asks why he hasn’t received his money.

The FBI warned that the real estate sector is increasingly popular with BEC scammers, since proceeds from property sales are often sent by wire. Victims include title companies, law firms, real estate agents, and property buyers and sellers. From calendar year 2015 to calendar year 2017, the number of BEC victims reporting the real estate transaction angle rose 1100 percent, and the reported monetary losses increased almost 2200 percent.1

Small Business Beware

While large corporations appear to be picking up on the BEC scam threat and taking steps to mitigate it, smaller firms are a different story. Large companies usually have a procedure in place that requires at least two people to sign off on these types of wire transfers, but small to medium-sized businesses may not have these safeguards in place. So when an email from the CEO arrives, people tend to think, “This is the boss; I had better do what he says.” Statistics show that about 30 percent of employees of SMBs who get these types of requests actually transfer the money, and it’s extremely unlikely that they’ll get any of it back.

How to Help Protect Your Company

What can businesses do to help protect themselves from BEC scams? Here are some suggestions:

  • Carefully scrutinize all email requests for funds transfers to determine if the requests are legitimate. If it’s supposed to be coming from ABCCompany.com, but the link says ABCCCompany, you can be pretty sure it’s not from ABC Company. 
  • Confirm requests for funds transfers from suppliers. When verifying by phone, use previously known phone numbers and not the numbers provided in the email request.
  • Watch for urgent or “secret” requests—particularly when they come from an executive who is absent. The request usually comes on a Thursday or Friday, or right before a holiday weekend when the company is short-staffed and the person who is supposedly sending the request is usually not in the office. A secretive request should be a big red flag: “We need to make this important payment right now and it’s confidential; don’t tell anybody.”
  • Test your staff. Instead of an annual meeting warning about attacks, train them online in the browser, then regularly send them simulated phishing attacks and see how they respond.
  • Set up a dual-approval process for all wire transfers, so two people are needed to verify payment instructions. The business owner or CEO should be one of the approvers if at all possible. To make this process more convenient, Treasury Internet Banking from Nevada State Bank allows payment approvals via mobile device.
  • Check out other tools available from Nevada State Bank, including free IBM® Security Trusteer RapportTM Software2 and Positive Pay,  and other suggested measures to help reduce your risk of fraud.

A simple email could be all it takes to wipe out thousands or even millions of dollars from your company’s bank account, and it may not be covered by insurance. Fortunately, with good policies and training in place, you can help prevent a fatal mistake.

1. https://www.ic3.gov/media/2018/180712.aspx

2. Trusteer Rapport® software is a product of IBM Security, made available for free to customers of Nevada State Bank. ZB, N.A. and Nevada State Bank are not affiliated with IBM Security and they do not provide, warrant, or guarantee the content, service or operation of Trusteer Rapport software. By downloading and installing Trusteer Rapport software, you agree with IBM Security to the terms and conditions of the Trusteer Rapport end user agreement. Any problems, concerns or questions regarding Trusteer Rapport should be directed to IBM Security.

 

The information provided is presented for general informational purposes only and does not constitute tax, legal or business advice. Any views expressed in this article may not necessarily be those of Nevada State Bank, a division of ZB, N.A. Member FDIC