Business Email Compromise Schemes Threaten Funds Transfers
As updated statistics from the FBI’s Internet Crime Complaint Center show, business email compromise (BEC) schemes increasingly put funds transfers at risk. Between June 2016 and December 2021, reported exposed dollar loss associated with BEC schemes was greater than $43 billion.
Now more than ever organizations and individuals must implement controls to recognize and prevent BEC scams and safeguard their fund transactions.
What is the BEC threat?
A BEC scam targets businesses and individuals performing wire transfer payments. The email account compromise (EAC) part of BEC targets individuals who perform wire transfer payments.
The BEC scam is often carried out when a cyber-actor compromises legitimate business email accounts through social engineering or computer intrusion. The result is an unauthorized transfer of funds.
According to the U.S. Secret Service, BEC scams target financial institutions, real estate companies, health care firms, human resources organizations, educational institutions and large-scale construction and contracting firms.
The BEC scam is just another confidence game where the bad actors convince humans to click on bad links or attachments, enabling the bad actor to install malware on the company’s computer system, or mistakenly believe that the sender of an email attaching wiring instructions or seeking information is making a legitimate, authorized request.
The BEC scam is often carried out when a subject compromises legitimate business email accounts through malware (computer intrusion techniques), spoofing email addresses or social engineering. The result is an unauthorized transfer of funds.
These schemes constantly evolve, and have taken a variety of forms:
- Hacking or spoofing of email accounts of CEOs and CFOs;
- Compromise of personal emails and vendor emails;
- Spoofed law firm email accounts, (a favorite in real estate transactions); and
- Requests for W-2 information.
In each such evolution, the scammers seek to use authority (an email that looks legitimate), and urgency (e.g., “we need this immediately”) to effectuate fraudulent transfers.
Addressing the BEC Threat
Organizations can take several steps to address the threats presented by a BEC scam:
- Verify all payment changes and transactions in-person or via a known, established telephone number. Continue to ensure contact information is current and updated.
- Carefully check email addresses for slight changes that can make fraudulent addresses appear legitimate and resemble actual companies’ names.
- Implement robust approval procedures for vetting account change requests to prevent monetary losses.
- Enable security features that block malicious emails, such as anti-phishing and anti-spoofing policies.
- Educate employees on BEC scams, including preventive strategies such as how to identify phishing emails and how to respond to suspected compromises.
- Notify customers about BEC threats and mitigation methods your company is taking, such as notifying customers of internal processes for changing or updating ACH banking information.
Security is an ongoing process
The pace of change in computer technology and communications can be bewildering. However, identifying and understanding the risks to payment information, and using the tools available to organizations address those risks, help make this ever-evolving process more manageable.
Jack Pringle is a partner with Adams and Reese in Columbia, South Carolina, and focuses his practice on privacy, information security, and information governance. Jack helps businesses protect, manage, and communicate information lawfully and effectively, and has received the Information Privacy Professional (CIPP-US) designation from the International Association of Privacy Professionals (“IAPP”).
His presentations can be found at https://www.slideshare.net/jjpringle317