Understand the Risk
Business email compromise (BEC) scams are a type of online payment fraud that targets businesses and can result in significant financial loss. BEC involves gaining unauthorized access to a legitimate email, text message or social media account or an attempt to spoof or fake a legitimate account.
The purpose is to enable the criminal actor to send a message from an executive or business leader, vendor or client to convince an employee to transfer funds.
Once these funds are transferred to the criminal actor, it’s difficult — if not impossible — to recover the loss. Between 2016 and 2021, Americans lost approximately $9 billion to BEC fraud. It takes only minutes for a financially crippling mistake — and it can happen to anyone. Whether it’s a new hire, a 20-year veteran, payables manager or CEO, the resulting impact is the same if a misstep occurs.
The good news is that there are actions businesses can take to minimize and mitigate their risk.
How to Identify BEC Red Flags and Reduce Risk
The most important preventive measures to protect against BEC are vigilance and awareness. Below are several BEC red flags to look for in any communications regarding fund transfers or transactions.
- Spoofed communications — It’s crucial to thoroughly inspect spelling and domains on payment requests received via email. This includes carefully checking the address of the sender (email, phone number, etc.) to see if letters, numbers or the domain name are incorrect.
- Use of personal accounts — Criminal actors will impersonate company leaders, vendors or clients who are using their personal accounts (email, mobile phone, social media) rather than their standard company accounts.
Focus on timing:
- Urgency — Actors using BEC write communications requesting quick action on data changes and fund transfers or set accelerated deadlines. The faster timelines can result in missed validation steps or the employee acting outside of protocol.
- Relying on employees’ response to authority — These actors depend on employees being conditioned to quickly comply with requests from executive leadership or important clients and vendors.
- The request comes at a busy time — Many fraudulent requests will come at the end of the workday or work week, putting pressure on employees to complete the request before the end of business (or end of month/quarter/fiscal year).
Communication and behavior:
- Communications from executives — BEC fraudsters will impersonate a real individual, most often a leader or executive at the company a person works for.
- Single form of communication — Many BEC attempts will indicate that the sender is in a meeting or traveling and can’t be reached by phone or other means, and demand all communication occur via a specific communication channel such as email, text or social media.
- Generic terms and odd grammar — Non-personalized greetings in an email, such as “Dear” or “Sir” or “Customer,” are red flags. Other red flags in emails are odd grammar such as “kindly,” missing punctuation or spelling errors.
- Combined with fear and urgency, the prospect of being rewarded may prompt employees to skip typical procedures. These rewards can be tangible or intangible, such as being recognized for solving a problem or completing a highly important task for executive leadership.
How a Company Is Targeted for BEC
Before launching a BEC scam, criminal actors may research the company, employees and senior management to gather as much information as possible to help them craft a convincing request. They may even check travel schedules, read other business emails and review social media profiles.
Criminal actors most often identify themselves as a high-level executive (CFO, CEO, CTO, etc.), lawyer, vendor, customer or other type of representative. In the communication, they will claim to be handling confidential or time-sensitive matters and request initiation of an urgent wire transfer.
Notably, these urgent requests also include a change to the receiving account or setting up a new account (which ultimately routes to the criminal actor). The employee receiving the communication may believe the request is legitimate and executes the fund transfer, resulting in a financial loss for the company.
There is a predictable sequence of events that criminal actors follow in executing a business email compromise scam.
- Targeting: Criminals target a business by using information available online to build a profile of the company and its executives.
- Grooming: Employees are sent phishing communications — notably those in the financial or accounts payable department.
- Sharing information: The victim is convinced he or she is processing a legitimate transaction and agrees to the criminal’s request.
- Transferring funds: Funds are sent to a bank account controlled by the criminal actor(s).
BEC Is a Social Engineering Scam
The tricky part about BEC is that it isn’t primarily achieved through malware or hacking — it uses social engineering. These criminal actors create believable scenarios that can trick an employee into transferring funds.
Social engineering is the use of deception to manipulate individuals into divulging confidential information or taking action to support fraudulent activity.
It is in our nature to trust and want to help. Cybercriminals use psychology and human nature to entice victims to bypass important security controls. In general, criminal actors deceive employees by presenting themselves as someone who can and should be trusted, and then take advantage of emotions to encourage actions outside of standard protocol.
How to Help Prevent BEC
Thoroughly vet payment change requests: A request for payment accompanied by a change in receiving account should always be closely examined.
Employees should contact executives, vendors or clients using an alternate communication channel to verify the request and the new account information. This contact must be made using a trusted phone number already on file for a known contact at the organization, not the phone number provided in the email, text or social media message, to verify the individual is authorized to make the request.
Pause to verify: When asked to verify a wire transfer, employees should delay the transaction until additional verifications can be performed, and require dual approval for any wire transfer request that meets certain high-risk criteria. High risk criteria for fund transactions could include a dollar amount over a specific threshold, a change in bank accounts for a known client or vendor, wire transfers to countries outside normal patterns, wires for new clients or vendors, wire instructions coming from an unknown person/email allegedly representing a known client/vendor, and all wires requested by senior leadership within own organization.
Keep it simple: Businesses should limit the number of employees within that business who have the authority to approve and/or conduct wire transfers.
Create an environment of trust: Many BEC scams are a result of criminal actors posing as senior leaders within organizations. Employees should feel comfortable pausing to validate a senior leader’s funds transfer request via phone or in person without worry.
Employees should be encouraged to resist good natured conditioning to help and temper their eagerness to prioritize requests from leadership.
Prepare for BEC at Your Business
The FBI considers BEC to be the most financially damaging scams in the U.S. Employers should take action in their business to ensure leadership and employees understand the threat of this scam, and how to identify BEC red flags and reduce risk.
It’s important that employers speak with their employees to ensure they understand the financial stakes and continue to watch trends in business fraud.
- Organizations should ensure leadership and employees understand the threat of BEC and its financial consequences.
- Organizations should educate employees on what to watch for, like idiosyncrasies and errors in communication.
- Organizations should build workflows that ensure authentication protocols are never bypassed, even in the cases of urgency or leadership pressure.
- Organizations should emphasize the importance of accuracy and verification measures over speed.
Justin Rainey serves as chief information security officer and chief privacy officer at UMB Financial Corporation. In this role, he is responsible for establishing the strategy and implementation of an effective, integrated and proactive information security and privacy program. He is also responsible for advising and partnering with leadership to guide the management of emerging and actual cybersecurity, physical information security, data privacy, third party and data governance risks.