Business email compromise (BEC) is a type of cybercrime where the scammer uses email to trick someone into sending money or divulging confidential company information. The culprit poses as a trusted figure, then asks for a fake bill to be paid or for sensitive data they can use in another scam.
In 2022, the FBI’s Fraud cyber complaint reporting and tracking division, IC3, received 21,832 BEC complaints with adjusted losses over $2.7 billion. Over time, BEC scams have become increasingly more sophisticated. Initially, the schemes involved simple hacking or spoofing of business and personal email accounts and a request to send wire payments to fraudulent bank accounts. Those schemes historically involved compromised vendor emails, requests for W-2 information, targeting of the real estate sector, and fraudulent requests for large gift card amounts.
More recently, fraudsters have begun to use custodial accounts held at financial institutions for cryptocurrency exchanges, or have victims send funds directly to cryptocurrency platforms where the money quickly disappears.
In 2022, the IC3 saw a slight increase of targeting victims’ investment accounts instead of traditional banking accounts. There was also an increasingly prevalent tactic by BEC bad actors of spoofing legitimate business phone numbers to confirm fraudulent banking details with victims.
Due to the rise in remote work, the FBI IC3 has also seen an increase in the number of BEC complaints involving the use of digitally altered images, videos, webinars, or audio recordings (called deepfakes) through virtual meeting platforms to instruct victims to send unauthorized transfers of funds to fraudulent accounts.
Just like phishing, there are some signs that a message requesting a funds transfer, or a list of employee information might not be legitimate. Some typical warning signs include:
· Messages that create a sense of urgency focused on getting employees to think and act fast.
· Requests that appear to come from a high-level executive or authority.
· Requests often coincide with the requestor being out of the office as the fraudster has accessed calendars.
· Requests suggest that it is important to keep the transactions confidential.
· Communication encouraged only through email –eliminating follow-up processes a business might have in place.
· Requests made to change direct deposit information or for payments to be made to a different account.
· Use of vendor impersonation or compromised vendor accounts as trusted suppliers and business partners.
The first step in mitigating the risk of fraud from a BEC scam is to understand how these scams work. The second step is to put procedures in place to minimize the risk and ensure your staff are trained on them. There are various methods to reduce the risk of falling victim to these scams. Some methods include:
- VERIFICATION: Verify changes in payment instructions to a vendor or supplier by calling to verbally confirm the request (the phone number should not come from the electronic communication but should instead be taken from a known contact list for that vendor).
- CONTACT INFORMATION: Maintain a file, preferably in non-electronic form, of vendor contact information for those who are authorized to approve changes in payment instructions.
- AUTHORITY CONTROLS: Limit the number of employees within a business who have the authority to approve and/or conduct wire transfers.
- AUTHENTICATION: Use out of band authentication to verify wire transfer requests that are coming from executives. This may include calling the executive to obtain verbal verification, establishing a phone Personal Identification Number (PIN) to verify the executive’s identity, or sending the executive via text message a one-time code and a phone number to call to confirm the wire transfer request.
- DELAY UNTIL VERIFIED: When the staff at a victim business is contacted by the bank to verify the wire transfer, the staff should delay the transaction until additional verifications can be performed.
- DUAL APPROVAL: Require dual approval for any wire transfer request involving one or more of the following:
- A dollar amount over a specific threshold
- Trading partners who have not been previously added to a “whitelist” of approved trading partners to receive wire payments
- Any new trading partners
- New bank and/or account numbers for current trading partners
- Wire transfers to countries outside of the normal trading patterns
- TRAINING: Train staff on BEC and fraudulent instruction scams, including how to protect their email and credentials.