PSA re: BEC
Blog
Last month, the FBI released a Public Service Announcement, Business Email Compromise (BEC) - The 12 Billion Dollar Scam. This con involves a criminal impersonating a business representative to request fraudulent wire payments via email. The FBI's announcement reports that, during the December 2016 and May 2018 time period, there was a 136% global increase in losses due to BEC. Since this scam is so widespread and stands to cause tremendous financial harm, the FBI called out some important characteristics of BEC and outlined what finance executives can do to better protect their organizations.
BEC facts:
- BEC targets both individuals and businesses
- A variation of BEC exists wherein a legitimate business email account requests Personally Identifiable Information (PII) or employee Wage and Tax Statement (W-2) forms. Perpetrators then sell these on the Dark Web or use them to file fraudulent tax returns.
- Perpetrators commonly apply pressure to act quickly and/or in secret when requesting the transfer
- Criminals utilize phishing or other computer intrusion techniques (e.g. downloading of malware) to carry out this scam
- Fraudsters study their BEC victims quite well before carrying out their crime. They’re often aware of precise details about the organization including individuals who work there and the SOPs in place for performing wire transfers within each specific business environment.
- As of late, players in the real estate sector have been reporting a higher incidence of BEC scams. Title companies, law firms, agents, buyers, and sellers have all indicated they’re being contacted to change the payment type and/or payment location to a non-legitimate account.
In addition to the mitigation tactics covered in our recent blog post regarding fraud and the various B2B payment methods, the FBI details other precautionary measures you can implement and ways to deal with potential BEC perpetrators:
- Obtain secondary confirmation when a request is made to change payment type, payment address, or contact information. In fact, inquiries such as these merit additional scrutiny - validate and verify any out of the blue changes to how you’ve normally corresponded or transacted.
- Setup a secondary means of supplier communication outside of email. Use this communication channel if you ever receive a suspect request.
- Be wary of solicitation of company or employee information made via phone. You can even go a step further and setup code words with suppliers to validate you’re actually dealing with them when speaking on the phone.
- Train employees to identify BEC requests and empower them to speak up if they suspect something is awry.
- Use company email accounts (instead of free, web-based accounts), add a notification to identify when an email comes from outside of your organization, and implement an intrusion detection system.
- Become well acquainted with the way your suppliers operate so you can identify anything out of the ordinary.
- Avoid public posts including any information regarding company hierarchy and/or out of office details.
The list of how to avoid this particular version of fraud could go on. So, while the risk of BEC is substantial, there are thankfully cyber-security and fraud mitigation experts who remain one step ahead of these industrious criminals. Businesses must remain similarly aware and armed with the tools to confront this challenge.