Fighting Business Email Compromise
BEC fraud is growing rapidly, but there are steps you can take to battle it.
Since 2013, Business Email Compromise (BEC), also known as CEO fraud, has cost U.S. businesses more than $180 million, and that number is rising. Since 2015, the scam has been reported in 79 countries and all 50 states. Federal Bureau of Investigation (FBI) numbers peg the average loss at about $100,000, but it can be—and has been—much more.
What is BEC?
A sophisticated email scam targeting businesses that regularly perform wire transfer payments and/or work with foreign suppliers, BEC has the potential to do great damage through fraudulent funding requests.
How Does BEC Typically Work?
- It starts with the fraudster phishing an executive, sending an email from a lookalike domain name that might be one or two characters off (e.g., email@example.com vs. firstname.lastname@example.org).
- Unlike traditional phishing scams, spoofed emails are unlikely to throw up red flags for spam, as they’re not mass emailed.
- Fraudsters work to understand the target organization’s relationships, activities, travel and/or purchasing plans, so their email messages appear more convincing.
The FBI offers the example of a CFO of a U.S. company who received an email from the CEO while the CEO was out of the country. The CEO requested a transfer of funds for a time-sensitive payment that required discretion. The CFO followed the instructions and wired $250,000 to a bank in Hong Kong. The next day, the CEO called about another matter. The CFO mentioned the wire had been completed, but the CEO said she never sent the email and knew nothing about the transaction. In this scam, the CEO’s email address was a single letter off from the real thing.
How Can I Protect My Business?
- Create intrusion detection system rules. They flag emails with extensions that are similar to company email. For example, a legitimate email of abc_company.com would flag abc-company.com as a fraudulent email.
- Register all company domains that are slightly different than your company’s actual domain.
- Confirm requests for transfer of funds (when using phone verification as part of the two-factor authentication, use previously known numbers, not the numbers provided in the email request).
- Verify changes in vendor payment location by adding additional two-factor authentication, such as having a secondary sign-off by company personnel.
- Be suspicious of wire transfer payment requests with secrecy or pressure to take action quickly.
- Know the habits of your customers, including the details of, reasons behind, and amount of payments.
- Carefully scrutinize all email requests for transfer of funds to determine if the requests are out of the ordinary.
- Be wary of free, web-based email accounts, which are more susceptible to being hacked.
- Be careful when posting financial and personnel information to social media and company websites.
What If It’s Too Late?
If you believe your firm has been a victim of BEC, or if you can confirm that funds have been transferred to a fraudulent account, it is important to act quickly.
- Contact your financial institution immediately upon discovering the fraudulent transfer.
- Request that your financial institution contact the corresponding financial institution where the fraudulent transfer was sent.
- Contact your local FBI office if the wire is recent (the Boston office can be reached at (617) 742-5533). The FBI, working with the U.S. Department of Treasury Financial Crimes Enforcement Network, might be able to help return or freeze the funds.
- File a complaint, regardless of dollar loss, with the IC3.
It’s hard to guard against determined scammers, but knowing how they work can help. You can gain information about protecting your business by reading the U.S. Department of Justice publication, Best Practices for Victim Response and Reporting of Cyber Incidents.
Contact me to discuss your company’s current cash management practices, and the service provided by Salem Five’s dedicated professionals.