Business Email Compromise (BEC) is a sophisticated scam targeting businesses of all sizes – including, but not limited to, those that regularly perform wire and Automated Clearing House (ACH) transfer payments and those that work with foreign suppliers. According to the Federal Bureau of Investigation Internet Crime Complaint Center (IC3), as of July 2018, global losses due to BEC have exceeded $12.5 billion.
Business email compromise can take a variety of forms, but in almost every case, the scammers target employees with access to company finances. Using their knowledge of an organization, the cyber criminals trick the employee into making wire transfers to bank accounts thought to belong to trusted partners. However, the money ends up in accounts controlled by the criminals. It may sound simple, but the level of sophistication is unprecedented.
According to the FBI, below are common ways BEC attacks can take place:
- Spoofing email accounts and websites: Slight variations on legitimate addresses (email@example.com vs. firstname.lastname@example.org) fool victims into thinking fake accounts are authentic. The criminals then use a spoofing tool to direct email responses to a different account which they control. The victim thinks he is corresponding with his CEO, but that is not the case.
- Spear-phishing: Bogus emails believed to be from a trusted sender in order to induce targeted individuals to reveal confidential information to the BEC perpetrators.
- Malware: Used to infiltrate company networks and gain access to legitimate email threads about billing and invoices. Malware also allows criminals undetected access to all stored credentials, including passwords and financial account information, on an infected machine.
How To Protect Against BEC: Treat every email request you receive with payment instructions as potentially fraudulent until verified. To verify, contact the individual who initiated the request via phone using a number from within your company’s database. Be sure to confirm the accuracy of the ABA and account number with the requester.
We strongly advise that you secure all your company’s applications – including payroll, accounting, and any other system that stores ABA and account numbers – with the same level of integrity as your banking operations. In addition, many corporate clients have created a formal Verification Group within their companies, whose primary job is to verify all payment instructions in order to authenticate them.
Remember, the odds of recovering stolen funds are very low, but the sooner you can identify that fraud has occurred, the greater the possibility of recovery. That’s why it’s important to verify every payment request before issuing payment.
Please check your bank accounts as often as possible and contact your financial institution regarding BEC attacks.