The cyber threat to companies that just won’t go away is business email compromise (BEC).
In results from the Association for Financial Professionals’ most recent annual Payments Fraud and Control Survey of corporate America, released earlier this year, more than three-quarters of respondents reported being targeted for BEC fraud. Not surprisingly, as a consequence, more than 6 out of 10 pointed to BEC as the top source of attempted or actual payments fraud against their businesses.1
BEC fraud is also one of the costliest cyber schemes, according to the FBI. In its 2020 Internet Crime Report released in March, the agency says it received over 19,000 BEC complaints last year representing losses of $1.8 billion — nearly half of all reported losses.2
What Does BEC Look Like?
Originally, most business email compromise scams were so-called “CEO/CFO fraud” schemes where a fraudster sends an accounts payable employee an email purporting to be from one of the company’s executives. The email directs the employee to initiate a funds transfer to a bank account controlled by the criminal. Things go south when the employee doesn’t want to anger a superior by asking too many questions and complies. Here's an example of a CEO/CFO fraudulent email:
But BEC has evolved to include variations on this theme.
Payroll diversion is a BEC phishing scam that aims to divert employee payroll direct deposits to a fraudster account. The Human Resources or payroll representative receives a fake email appearing to be from an employee requesting a change to their direct deposit account. The new information redirects the employee’s deposit into a crook’s account or onto a pre-paid card.
Another prevalent form of BEC is the bogus invoice scheme. Attackers call or email a business that has a longstanding relationship with a supplier, pretending to be the supplier. They try to trick the employee into wiring funds for invoices to the crook’s account, or they request invoice payments be sent to them at a new address.
How Can You Thwart These Schemes?
Here are the most popular prevention strategies, all used by more than half of respondents in the most recent AFP fraud survey:
- Educate employees on the threat of BEC and train them to recognize attempts.
- Implement company policies for providing appropriate verification of any changes to existing invoices, bank deposit information and contact information.
- Confirm requests for funds transfers by executing a call back to an authorized contact at the payee organization using a phone number from a system of record (not numbers listed in an email).
- Institute stronger internal controls prohibiting payments initiation based on emails or other less secure messaging systems.
- Require authorized signoff from senior management for transactions over a certain threshold.
- Adopt at least a two-factor authentication or other added layers of security for access to the company network and the ability to initiate payments.
Stay Current on BEC Threats
With more employees working remotely these days, it can be more challenging for them to verify that an email from a company executive is legitimate. Thus businesses are wise to take BEC prevention even more seriously and adopt these best practices.
The FBI recommends that businesses visit www.ic3.gov for updated public service announcements regarding BEC trends. Additionally, you can learn more about combatting BEC on our website.
1 2021 AFP Payments Fraud and Control Survey results.
2 2020 Internet Crime Report from the FBI, released March 17, 2021.