Business email compromise (BEC) scams are among the top fraud threats to corporate treasury and finance. Both the frequency of attempts and the total dollar amounts stolen have increased dramatically in the past year.
What is a BEC scam?
BEC scams target companies that may make wire transfers to suppliers and businesses. In a typical BEC scam, a company will receive a transfer request via email from what appears to be a high-level executive, business partner, or supplier. However, the request is actually coming from a hacked email account, or an account that has been “spoofed” to appear legitimate.
In many cases, BEC scams begin with a criminal sending a phishing email to a company employee and gaining access to his or her email account. For an extended period of time— sometimes several months—the fraudster will monitor that employee’s email and determine who initiates wires and who requests them. Then, they’ll either spoof an email or create a domain that’s close to the company they are targeting. The domain will look really close to the company’s domain and appears to be an email from the CEO or similar company manager.
For example, fraudsters may wait until the CEO or other executive is on an extended business trip, at which time they’ll send an email impersonating them. The message may say the business is acquiring a company or similar large purchase out-of-state or overseas. The message may continue saying “It’s not a matter anyone else in the company should know about just yet. I’m counting on your cooperation. I need you to transfer $120,000 to this bank in this country.” It’s a well-practiced process and people do fall for it.
It can be tough to spot false web domains. The criminals may set up their own mail domain and change one letter. For example, if you have an ‘m’ in your company name, they’ll change it to ‘rn’. If you have a ‘w’, they’ll change it to two ‘v’s. It looks identical and people miss this all the time.
Financial professionals need to have protocols in place to make sure the requests they receive are legitimate. If you don’t have a formal process to call or validate it really is a CEO requesting a transfer, then you have to get people to be inquisitive.
The FBI has provided some best practices to recognize these scams before any money is transferred.
- Implement a detection system that flags e-mails with extensions that are similar to the company e-mail.
- Register all company domains that are similar to the actual company domain.
- Verify changes in vendor payment locations by adding additional two-factor authentication, such as having a secondary sign-off by company personnel.
- Confirm requests for funds transfers. When using phone verification, use previously known numbers and not the numbers provided in an e-mail request.
- Know the habits of your customers when it comes to payment tendencies and amounts. Flag anything out of the ordinary.
- Carefully scrutinize all e-mail requests for funds transfers to determine if the requests are legitimate.
- Speak to your banking partners to determine any security procedures they use to authenticate client requests.
The FBI also provided actions that companies can take should they realize they have been victimized:
- Immediately contact your bank and request that they contact the corresponding financial institution where the transfer was sent.
- Contact your FBI office if the transfer was recent. The FBI, working with the Financial Crimes Enforcement Network (FinCEN), might be able to help return or freeze the funds.
- File a detailed complaint with www.IC3.gov. Be sure to identify the incident as a BEC scam.
Watch for urgent or “secret” requests—particularly when they come from an executive who is absent. Timing and phrasing can help companies recognize these types of scams. The fraudster making the request typically says that the transfer is for administrative purposes or an acquisition, and will stress that the payment needs to be made immediately. If the request is secretive, that’s a big red flag.
Verify before you send. Be wary of any emailed request instructing a routine wire payment to be sent to a new account. Sometimes just a simple phone call can keep thousands or even millions of dollars from walking out the door.
Fully support your staff to enforce policies that mitigate risk. Staff members should be encouraged to properly vet each emailed request that comes through, regardless of whether timeliness is an issue. If an employee waits to send a wire out as part of the verification process, their supervisor should fully support them if it ends up delaying a legitimate issue—they have to be the gatekeeper in safeguarding the company’s liquid assets.
Simply put, BEC scams are everywhere, and they’re not going anywhere. These fraudsters are dedicated, and if you give them a way in, they’re going to exploit it. A simple email could be all it takes to wipe out thousands or even millions of dollars from your company’s bank account, and if so, good luck getting it back. This is not just an issue that applies to large companies or organizations.
Fortunately, with good policies and training in place, treasury and finance professionals can avoid making a fatal mistake. That way, the next time you receive an urgent, secretive wire request from an executive who is out of the office—you’ll probably think twice.