Business Email Compromise is at an all-time high with 80% of merchants reporting BEC fraud activity initiated against them. More than 54% of those experienced a financial loss as a direct result of BEC scams.
Business Email Compromise or BEC as it is known is a type of scam that targets businesses that conduct use wire transfers for payments. Email accounts of executives or high-level employees that are typically involved with wire transfer payments or other money matters are either spoofed or compromised using keyloggers or phishing attacks to complete fraudulent transfers that result in hundreds of thousands of dollars in losses. In a recent report, businesses lost an average of $140,000 in these scams.
BEC attackers rely on social tactics to trick unsuspecting employees and executives by impersonating the CEO or other executives authorized to do wire transfers. Chosen Payments CEO, Jeff Brodsly has been a victim of email spoofing with emails purportedly sent by him to Chosen Payments staffers directing them to engage in fraudulent transfers. Fraudsters carefully research and monitor potential targets and their organizations.
The FBI has issued guidelines about this increasing fraud method that almost always includes email subject lines that contain words like request, payment, transfer, and urgent, among others.
Here are the Top Five scams shared by the FBI:
- The Bogus Invoice Scheme- Companies with foreign suppliers are often targeted with this tactic, wherein attackers pretend to be the suppliers requesting fund transfers for payments to an account owned by fraudsters.
- CEO Fraud- Attackers pose as the company CEO or any executive and send an email to employees in finance, requesting them to transfer money to the account they control.
- Account Compromise-An executive or employee’s email account is hacked and used to request invoice payments to vendors listed in their email contacts. Payments are then sent to fraudulent bank accounts.
- Attorney Impersonation- Attackers pretend to be a lawyer or someone from the law firm supposedly in charge of crucial and confidential matters. Normally, such bogus requests are done through email or phone, and during the end of the business day.
- Data Theft – Employees under HR and bookkeeping are targeted to obtain personally identifiable information (PII) or tax statements of employees and executives. Such data can be used for future attacks.
Because these scams do not have any malicious links or attachments, they can evade traditional solutions. Employee training and awareness of BEC tactics can help prevent a loss. Our recommendation is to adopt strong internal controls that prohibit payment initiation based simply upon an email or other, less secure messaging systems. Be vigilant in keeping up with scams that have the potential to hit your business. Educate your staff as well. To answer your burning question: No, we did not fall victim to the BEC efforts against us.