The Significant Threat of Business Email Compromise
BEC scams cost companies millions in fraudulent wire transfers.
It’s late on a Wednesday afternoon when Joe in finance receives an email from the CEO: “Just signed a contract with a new supplier. Please wire $150,000 to this account ASAP. Thanks.” Bank routing and account numbers are provided.
The CEO is out of town on business — Joe isn’t sure where or why — so he immediately sets about fulfilling the request. The CEO gets back in the office on Monday, and Joe goes to her office to acknowledge that he completed the wire transfer. But the shocked CEO says she never made the request. The email was fraudulent and scammers have made off with company funds.
In recent years, the FBI has issued multiple warnings about the Business Email Compromise (BEC) scam. This phishing scam comes in several forms. Hackers often “spoof” the emails of company executives, and ask employees to process wire transfers for confidential or time-sensitive business transactions. Or an executive or employee email account is hacked, allowing the attacker to fraudulently issue invoices on behalf of legitimate vendors and request wire transfers to the hacker’s bank accounts.
These and related scams have increased since same-day automated clearing house (ACH) payments became universally available on Sept. 23, 2016. Same-day ACH allows payments to be settled in hours rather than taking one or more business days. The immediacy of same-day ACH, and the high volume of payments, are appealing to hackers, who can take advantage of shorter payment windows by sneaking in fraudulent transfers before victims are aware of what has happened.
Significant Losses
The stakes are high. The FBI’s Internet Crime Complaint Center (IC3) received 21,832 BEC complaints in 2022, with adjusted losses of more than $2.7 billion. The data show that BEC attacks were eight times more common than ransomware attacks, causing almost 80 times more financial damage. The actual number of incidents and aggregate losses are likely much higher — such attacks often go unreported due to fears of reputation damage and lost business.
The unfortunate truth is that people fall for these and other phishing scams because hackers are getting much better at deception and persuasion, which is why people still fall for these and other scams. Furthermore, fraudulent wire transfers are hard to detect, and the money lost is extremely difficult to recover.
The fraud filters used by banks aren’t capable of evaluating all of the moving parts of such a scam — each transaction, account histories for both incoming and outgoing funds, the batches within a file, behavior associated with a particular file, etc. Although automated fraud detection systems are used, most monitoring of flagged transactions is still manual. Many attacks are automated and carried out by bots, and humans just can’t keep up.
The Value of Training
There is some good news, however. Studies show that security awareness training brings measurable reductions in employees’ susceptibility to phishing attacks. Additionally, training significantly increases user reporting of suspicious emails, a critical metric for gauging positive employee behavior.
This is a positive sign for IT security teams, given the increase in BEC attacks that are highly targeted and personalized. Users must be vigilant to identify sophisticated phishing emails, and use reporting mechanisms to alert IT teams to potentially dangerous emails that evade perimeter defenses.
In light of that, employee security awareness training can help organizations reduce the risk that they’ll fall victim to BEC, ransomware and other attacks. Organizations should also implement policies and procedures to prevent fraudulent wire transfers:
Require multifactor authentication for logging into email, receiving payment information, and processing a request to change existing information.
Implement email filtering to block incoming messages that contain suspicious links or attachments.
Scan outgoing email to prevent transmission of sensitive information.
Confirm payment information using a different channel such as face-to-face communication or a phone call instead of simply replying to an email.
Provide clear instructions to business partners and vendors about the proper procedures for communicating payment information.
Require employees to verify everything before initiating payment. A delay is far less costly than a transfer to a fraudulent account.
Organizations that suspect they’ve been victimized by wire transfer fraud should notify the sending and receiving banks and law enforcement immediately. It may be possible to freeze the funds. They should also investigate their email system and encourage affected third parties to do the same.