If a sophisticated businessperson like real estate mogul and “Shark Tank” TV star Barbara Corcoran can fall victim to a Business Email Compromise (BEC) phishing scam, it can probably happen to you and your company too — if you don’t stay vigilant.
According to published reports earlier this year, Corcoran had nearly $400,000 stolen when fraudsters tricked her bookkeeper into complying with an email request — ostensibly from Corcoran’s assistant — to pay a large-dollar invoice from a German company.1
The scammers in this bogus invoice scheme knew the inner workings of Corcoran’s operation, were able to convince the bookkeeper in an email exchange that the bill was legitimate, and attempted to transfer the money into an account under their control.
A Serious Threat to Your Business
Corcoran’s bank acted in time to halt the transfer and return the funds.2 But not everyone is so fortunate, and thus BEC scams like this one pose a serious threat to businesses. The FBI reports nearly 24,000 BEC complaints last year resulting in $1.7 billion in losses.3 In addition, according to a 2020 survey by the Association for Financial Professionals (AFP), business email compromise was the largest reported source of attempted or actual payments fraud attacks last year.4
The uncertainty around COVID-19 and a growing remote workforce have exacerbated the problem, the FBI says.
In a BEC scam, criminals send an email message that appears to come from a known source. The sender makes what appears to be a legitimate request for the receiver to initiate a funds transfer, redirect a recurring payment to a different account, or provide payment credentials.
These attacks typically rely on two tactics. One is social engineering, or tricking people online into breaking standard security practices. The second is spear phishing, which usually involves targeting specific employees with fund transfer powers.
Other Common BEC Scams
In addition to bogus invoice schemes, like the one illustrated above, two other common BEC scams to watch out for are:
The CEO/CFO fraud scheme. In this scenario, a fraudster sends an accounts payable employee an email purporting to be from one of the company’s executives, often the CEO or CFO. The email directs the employee to initiate a funds transfer to a bank account controlled by the criminal. The employee doesn’t want to anger the big boss by asking too many questions and complies.
Payroll diversion. This phishing scam aims to divert employee payroll direct deposits to a fraudster account. The Human Resources or payroll representative receives a fake email appearing to be from an employee requesting a change to their direct deposit account. The new direct deposit information redirects the employee’s deposit into a crook’s account or onto a pre-paid card.
Create an Employee Firewall
So how do you protect your company against BEC threats? The best strategy is to create an “employee firewall” by educating your workforce about these scams. These tips from the FBI should help5:
- Be skeptical of last-minute changes in wiring instructions or recipient account information.
- Verify any changes and information via the contact on file; do not contact the vendor through the number provided in the email.
- Ensure the URL in emails is associated with the business it claims to be from.
- Be alert to hyperlinks that may contain misspellings of the actual domain name.
- Verify the address used to send emails, especially when using a mobile or hand-held device, by ensuring the sender’s email address appears to match who it is coming from.
To learn more, visit How to Identify Cyber Threats and Defend Your Company as well as our Cybersecurity Resource Library, and contact your Treasury Services Support Team at 1-866-594-2304 anytime you need assistance or answers to cybersecurity questions.
1 “Shark Tank’s Barbara Corcoran fell for this very common phishing scam — and it cost her almost $400,000,” Marketwatch.com, Feb. 27, 2020. https://www.marketwatch.com/story/shark-tanks-barbara-corcoran-fell-for-this-very-common-phishing-scam-and-it-cost-her-almost-400000-2020-02-27
2 “Scammers return money after 'Shark Tank' star Barbara Corcoran lost almost $400,000 in phishing,” USA Today, Feb. 28, 2020. https://www.usatoday.com/story/entertainment/celebrities/2020/02/27/shark-tank-star-barbara-corcoran-loses-nearly-400-000-phishing/4891217002/
3 “2019 Internet Crime Report Released,” FBI news release, Feb. 11, 2020. https://www.fbi.gov/news/stories/2019-internet-crime-report-released-021120
4 “Survey: Business Email Compromise Most Common Cause of Fraud Attempts,” AFP news release, April 7, 2020. https://www.afponline.org/about/learn-more/press-releases/Details/survey-business-email-compromise-most-common-cause-of-fraud-attempts
5 “FBI Anticipates Rise in Business Email Compromise Schemes Related to the COVID-19 Pandemic,” FBI news release, April 6, 2020. https://www.fbi.gov/news/pressrel/press-releases/fbi-anticipates-rise-in-business-email-compromise-schemes-related-to-the-covid-19-pandemic