Business email compromise (BEC) schemes, also known as cyber-enabled financial fraud, is a sophisticated scam targeting businesses that regularly perform wire or ACH transfer payments. BEC scams are carried out by compromising legitimate business email accounts through social engineering, email spoofing, or hacking computers to transfer funds without proper authority.
A typical BEC scam involves duping a company into believing that the email request comes internally from an executive within the company or externally from a business that a company works with. Other times, fraudsters have been known to intercept legitimate email requests for wire transfer and ACH instructions and adjust bank account information to route the funds to a different account or different bank altogether.
Businesses are the primary target for this type of fraud although nonprofit and government agencies are not sparred from it either. In BEC, fraudsters attempt to move money, most commonly by requesting a wire transfer or ACH. However, other payment channels are not exempt from fraud. As of 2018, global accumulated losses due to BEC scams have exceeded $12B, according to the FBI.
Payroll Diversion scam
Fraudsters are smart in their tactics and this type of scam is constantly evolving. I have seen our business customers targeted by BEC scams and more recently, one of the newer tactics is called a Payroll Diversion scam. In a Payroll Diversion scam, companies receive an email from an individual that is believed to be an employee requesting to have their payroll direct deposit information changed to a new bank, when in fact the email is being sent from a spoofed or compromised email address.
Fraudsters typically impersonate higher-value employees and the emails tend to be urgent and often discourage the target from calling. For instance, the email may include language like “please make the change before the next paycheck” or “I am going on vacation/abroad and will have limited phone access, please respond via email.”
Fraud of this nature is growing because it bypasses many existing technical controls or warnings businesses have in place to prevent fraud. These emails have also become more sophisticated. They are usually well written and lack any punctuation or spelling errors that would trigger email filters meant to prevent spam or phishing attempts.
The FBI recently reported that from January 2018 through June 2019, there was a total reported loss related to Payroll Diversion scams of more than $8M. The average loss reported in each complaint was around $8K.
How do you prevent BEC?
Fraudsters are always trying to stay ahead of existing technical controls or prevention tools. Relying on your company or organization’s security system will not be enough to prevent future wire fraud.
Here are some tips I recommend:
- Perform extra validation of the payment information confirming the receiving bank and verification of the receiving account number. If the request was received via email, contact the requestor by phone instead of replying to the email.
- Be vigilant. A change in bank account information with no prior notice is a red flag and could be a sign of a BEC attempt.
- Scrutinize emails for unusual signs such as new domain name or changes in email signatures.
- Discourage the use of personal email accounts to communicate with other employees.
- Create best practices such as having employees contact HR by phone instead of email when updating bank accounts.
- Provide training to spot signs of potential BEC scams and have a procedure for reporting them.
The best line of defense against email compromises is to carefully validate and confirm all wire transfer and ACH transaction requests prior to sending funds.