Business email compromise (BEC) scams are among the top fraud threats to businesses today, and both the frequency of attempts and the total dollar amounts stolen have increased dramatically. The FBI reports that criminals using these scams stole nearly $750 million from more than 7,000 U.S. businesses between October 2013 and August 2015. Combined with international victims, the FBI estimates that BEC scams have cost businesses more than $1.2 billion. The scams have been reported in all 50 states and in 79 countries.
What is a BEC scam?
BEC scams target companies that make routine wire transfers to foreign suppliers and businesses. In a typical scam, a company will receive a transfer request via email from what appears to be a high-level executive or a supplier. However, the request is actually coming from a hacked email account, or an account that has been “spoofed” to appear legitimate.
In most cases, BEC scams begin with a criminal sending a phishing email to a company employee and gaining access to his or her email account. For an extended period of time—sometimes several months—the fraudster will monitor that employee’s email and determine who initiates wires and who requests them. Over time, they become skilled at learning employees’ schedules, personal relationships in the office, and even their style of writing so they can expertly mimic an email an executive might actually have sent. From there, they’ll either spoof an email or create a domain name that’s close to the company that they are targeting.
The next step is to wait until the CEO or other executive is away on an overseas business trip, at which time they’ll send an email impersonating them. It may say, “Hey, we’re acquiring a company over here. I need you to transfer $150,000 right away to this bank in this country.”
BEC scams don’t always consist of a fraudster impersonating a CEO or CFO. They may also impersonate companies’ suppliers, sending them new payment instructions so that a routine transfer will be sent to a new account. They may copy the suppliers’ logo and email formatting, and send an email saying, “We have a new bank account; please send wires to this account in the future.” If it looks legitimate, the employee in accounts payable might not suspect anything until the actual supplier asks why he hasn’t received his money.
Small Business Beware
While large corporations appear to be picking up on the BEC scam threat and taking steps to mitigate it, smaller firms are a different story. Large companies usually have a procedure in place that requires at least two people to sign off on these types of wire transfers, but small to medium-sized businesses may not have these safeguards in place. So when an email from the CEO arrives, people tend to think, “This is the boss; I had better do what he says.” Statistics show that about 30 percent of employees of SMBs who get these types of requests actually transfer the money, and it’s extremely unlikely that they’ll get any of it back.
An Ounce of Prevention…
What can businesses do to help protect themselves from BEC scams? Here are some suggestions:
- Carefully scrutinize all email requests for funds transfers to determine if the requests are legitimate. Hover over the “sender” link in the email. If it’s supposed to be coming from ABCCompany.com, but when you hover over the link it says ABCCompanyfr4tyu78v, you can be pretty sure it’s not from ABC Company.
- Confirm requests for funds transfers from suppliers. When verifying by phone, use previously known phone numbers and not the numbers provided in the email request.
- Watch for urgent or “secret” requests—particularly when they come from an executive who is absent. The request usually comes on a Thursday or Friday, or right before a holiday weekend when the company is short-staffed and the person who is supposedly sending the request is usually not in the office. Additionally, if the request is secretive, that’s a big red flag. “We need to make this important payment right now and it’s confidential; don’t tell anybody.”
- Test your staff. Instead of an annual meeting warning about attacks, train them online in the browser, then regularly send them simulated phishing attacks and see how they respond.
- Check out other tools available from Nevada State Bank, including free IBM® Security Trusteer RapportTM Software, ACH Positive Pay, and suggested measures to help reduce your risk of fraud.
A simple email could be all it takes to wipe out thousands or even millions of dollars from your company’s bank account, and it may not be covered by insurance. Fortunately, with good policies and training in place, you can avoid making a fatal mistake. The next time you receive an urgent, secretive wire request from an executive who is out of the office—you’ll probably think twice.
This article was condensed, with permission, from a white paper published by the Association for Financial Professionals. Click here to read the entire article.
The information provided is presented for general informational purposes only and does not constitute tax, legal or business advice. Any views expressed in this article may not necessarily be those of Nevada State Bank, a division of ZB, N.A.