Business email compromise (BEC) scams are a type of online payment fraud that target businesses and can result in significant financial loss. BEC involves gaining unauthorized access to a legitimate email, text message, or social media account or an attempt to spoof or fake a legitimate account.
The purpose is to enable the criminal actor to send a message from an executive or business leader, vendor, or client to convince an employee to transfer funds.
Once these funds are transferred to the criminal actor, it’s difficult, if not impossible, to recover the loss. Between 2016 and 2021, Americans lost approximately $9 billion to business email compromise fraud. It takes only minutes for a financially crippling mistake – and it can happen to anyone. Whether it’s a new hire, a 20-year veteran, payables manager, or CEO, the resulting impact is the same if a misstep occurs.
The good news is that there are actions businesses can take to minimize and mitigate their risk.
How to identify BEC red flags and reduce risk
The most important preventative measures to protect against BEC is vigilance and awareness. Below are several business email compromise red flags to look for when you receive communications regarding fund transfers or transactions.
• Spoofed communications – Thoroughly inspect spelling and domains on payment requests received via email. Carefully check the address of the sender (email, phone number, etc.) to see if letters, numbers, or the domain name are incorrect.
• Use of personal accounts – Criminal actors will impersonate company leaders, vendors, or clients who are using their personal accounts (email, mobile phone, social media) rather than their standard company accounts.
Focus on timing
• Urgency – Actors using BEC write communications requesting quick action on data changes, fund transfers, or set accelerated deadlines. The faster timelines can result in missed validation steps or the employee acting outside of protocol.
• Relying on employees’ response to authority – These actors depend on employees being conditioned to quickly comply with requests from executive leadership or important clients and vendors.
• The request comes at a busy time – Many fraudulent requests will come at the end of the workday or work week, putting pressure on employees to complete the request before the end of business (or end of month/quarter/fiscal year).
Communication and behavior
• Communications from executives – BEC fraudsters will impersonate a real individual, most often a leader or executive at the company a person works for.
• Single form of communication – Many BEC attempts will indicate that the sender is in a meeting or traveling and can’t be reached by phone or other means, and demands all communication occur via a specific communication channel such as email, text, or social media.
• Generic terms and odd grammar – If emails are received with non-personalized greetings such as “Dear” or “Sir” or “Customer”, this is a red flag. Emails with odd grammar such as “kindly”, missing punctuation, or spelling errors are also a red flag.
• Combined with fear and urgency, the prospect of being rewarded may prompt employees to skip typical procedures. These rewards can be tangible or intangible, such as being recognized for solving a problem or completing a highly important task for executive leadership.
How a company is targeted for BEC
Before launching a BEC scam, criminal actors may research the company, employees, and senior management to gather as much information as possible to help them craft a convincing request. They may even check travel schedules, read other business emails, and review social media profiles.
Criminal actors most often identify themselves as a high-level executive (CFO, CEO, CTO, etc.), lawyer, vendor, customer, or other type of representative. In the communication, they will claim to be handling confidential or time-sensitive matters and requests initiation of an urgent wire transfer.
Notably, these urgent requests also include a change to the receiving account or to set up a new account (which ultimately routes to the criminal actor). The employee receiving the communication may believe the request is legitimate and executes the fund transfer, resulting in a financial loss for the company.
BEC is a social engineering scam
The tricky part about BEC is that it isn’t primarily achieved through malware or hacking – it uses social engineering. These criminal actors create believable scenarios that can trick an employee into transferring funds.
Social engineering is the use of deception to manipulate individuals into divulging confidential information or taking action to support fraudulent activity.
It is in our nature to trust and want to help. Cybercriminals use psychology and human nature to entice victims to bypass important security controls.
How to help prevent business email compromise
Thoroughly vet payment change requests
A request for payment accompanied by a change in receiving account should always be closely examined.
Contact executives, vendors, or clients using an alternate communication channel to verify the request and the new account information. Ensure contact is made using a trusted phone number already on file for a known contact at the organization, not the phone number provided in the email, text, or social media message, and verify the individual is authorized to make the request.
Pause to verify
When asked to verify a wire transfer, delay the transaction until additional verifications can be performed, and require dual approval for any wire transfer request that meets certain high-risk criteria.
Keep it simple
Limit the number of employees within a business who have the authority to approve and/or conduct wire transfers.
Create an environment of trust
Many BEC scams are a result of criminal actors posing as senior leaders within organizations. Employees should feel comfortable pausing to validate a senior leader’s funds transfer request via phone or in person without worry.
Employees should be encouraged to resist good nature conditioning to help and temper eagerness to prioritize requests from leadership.
The FBI considers BEC to be the most financially damaging scams in the U.S. Take action in your business to ensure leadership and employees understand the threat of this scam, and how to identify BEC red flags and reduce risk.
Justin Rainey is Chief Information Security Officer & Chief Privacy Officer for UMB Bank.