The FBI uses the name “Business Email Compromise” (BEC) to mean a sophisticated email scam that targets businesses working with foreign partners that regularly perform wire transfer payments.
This is essentially business email identity fraud.
Since 2013, when the FBI began tracking BEC, organized crime groups have targeted large and small companies and organizations in every U.S. state and more than 100 countries around the world. Losses are in the billions of dollars.
According to the FBI’s Internet Crime Complaint Centre, “the BEC scam continues to grow, evolve, and target businesses of all sizes. Since January 2015, there has been a 1,300 percent increase in identified exposed losses, now totalling over $3 billion.”
BEC schemes are known for relying on social engineering techniques, making them very hard to detect. Social Engineering in this context means to use deception to gain confidential information. The level of sophistication in this multifaceted global fraud is unprecedented, according to law enforcement officials, and professional businesspeople continue to fall victim to the scheme.
BEC can take a variety of forms. But in just about every case, the scammers target employees with access to company finances and trick them into making wire transfers to bank accounts thought to belong to trusted partners—but the money ends up in accounts controlled by the criminals.
Techniques in use include
- social engineering
- identity theft
- e-mail spoofing
- the use of malware.
The Typical Scam
1. When the CEO is away from the office, the scammer sends a fake e-mail (looking as if from the CEO) to a targeted employee in the Accounts department or someone with sign-off on payments e.g. Bookkeeper, accountant, financial controller or chief financial officer.
2. A request is made for an immediate wire transfer, usually to a known supplier.
3. The targeted employee believes she is sending money to a familiar account, just as she has done in the past, but the account numbers are slightly different.
4. The money is then transferred to another untraceable account.
If the fraud is not discovered in time, then it is likely to be very hard to recover the money.
The Art of Deception
The organized criminal groups that engage in business e-mail compromise scams use sophisticated methods at times, including:-
E-mail spoofing. This is a technique used to make an email appear to have come from a different email address. They can also ensure return emails go to a different email address belonging to them not the person the victim believes they are sending email to.
Spear-phishing: This means to create emails that appear to be from a trusted contact and is normally used to get confidential information from the victim.
Malware: Software designed to cause problems for the victim, allow access to hackers or gain secret information. This includes viruses.
If you or your company have been the victims of a BEC scam, it’s important to act quickly. Contact your financial institution immediately to try to recover the money. Also report the scam to the authorities (FBI if in the USA).
How to Defend Against Business Email Identity Fraud
The BEC scam has resulted in companies and organizations losing billions of dollars. But as sophisticated as the fraud is, it can be stopped by insisting on face-to-face or voice-to-voice communications for account changes etc.
Here are other methods businesses have employed to safeguard against BEC:
· Create intrusion detection system rules that flag e-mails with extensions that are similar to company e-mail. For example, legitimate e-mail of abc_company.com would flag fraudulent e-mail of abc-company.com.
· Create an e-mail rule to flag e-mail communications where the “reply” e-mail address is different from the “from” e-mail address shown.
· Colour code virtual correspondence so e-mails from employee/internal accounts are one colour and e-mails from non-employee/external accounts are another.
· Verify changes in vendor payment location by adding additional two-factor authentication such as having secondary sign-off by company personnel.
· Confirm requests for transfers of funds by using phone verification as part of a two-factor authentication; use previously known numbers, not the numbers provided in the e-mail request.
· Carefully scrutinize all e-mail requests for transfer of funds to determine if the requests are out of the ordinary.
· Educate employees on how BEC scams and other similar attacks work.
In the last 6 months of 2016, the FBI received reports of 3,044 U.S. victims reporting losses of $346 million.
Most victims report using wire transfers as a common method of transferring funds for business purposes; however, some victims report using checks as a common method of payment, the FBI said in its report. “The fraudsters will use the method most commonly associated with their victim’s normal business practices.”
The FBI said malware is being used by more of these scammers in advance of a Business Email Compromise, foregoing lengthy social engineering and reconnaissance for a more direct method of gaining access to email and financial accounts.
Fraudsters are also targeting departments within businesses such as human resources, bookkeeping and auditing that handle personal information and tax forms.
Over the past three years, Business Email Compromise (BEC) schemes have caused at least $5.3 billion in total losses to approximately 24,000 enterprises around the world, according to the latest figures from the FBI.
If you have any experiences with scammers, spammers or time-wasters do let me know – go to the About page then Contact Us.