Business Email Compromise (BEC) is an insidious, increasingly common scam.
BEC fraud, an email phishing scam that targets individuals at businesses and other organizations and cons them into making wire transfers to bank accounts controlled by criminals, is a growing scourge. According to the FBI, 80% of businesses have received at least one BEC email attack.
Continue reading to find out:
- What BEC is
- How to spot a Business Email Compromise scam
- What the different types of BEC scams are
The FBI has identified six types of fraud:
- CEO to CFO or Other Payment Officer: The traditional BEC involves an email that appears to be from the CEO to the CFO or other person who can send wire transfers, asking them to send money right away. These emails are timed for when the CEO is away and often claim that the matter is urgent. Believing the email is from the boss, employees may send the money without checking it out first.
- Vendor Impersonation Fraud: This is a growing trend in BEC in which scammers target vendors or suppliers with phishing emails, study their billing and payment patterns and processes, and then send authentic-looking invoices to their customers. These invoices are for payments that are about to be made and look normal in every respect except that the bank account number has been “updated.” This type of fraud often involves impersonating smaller companies that provide products or services to larger companies. The company receiving the invoice is the one that suffers the financial loss.
- W-2 Scams: In W-2 scams, BEC emails appear to be from senior executives instructing human resources directors to email employee W-2s. The fraudsters can then file fake tax returns and have tax refunds deposited onto stored value cards or criminal-controlled bank accounts. The IRS has taken measures to combat this type of fraud and appears to have succeeded so far for the 2019 tax year.
- Real Estate BEC: This type of fraud typically targets homebuyers, but it does apply to commercial real estate transactions as well. The fraud works when scammers log in to the email account of one of the parties and redirect the wire transfer to a bank account that they control.
- Direct Deposit Scam: Direct deposit fraud occurs with an email that appears to be from an employee to the Human Resources office, saying that the employee has changed banks, attaching a fake “voided” check for the new account and asking that future paychecks be deposited into the “new” account.
- Gift Cards BEC Fraud: Scenarios requesting gift card purchases are growing. The FTC has warned that many of these bogus emails claim to be coming from priests, rabbis or other clergy members, but scams sometimes are represented as requests by company executives.
How does BEC work?
There are essentially three steps to operating a BEC fraud: • Obtaining the names, job functions, email usernames and passwords of people within an organization, learning who is in charge of the organization and who controls payments • Sending emails impersonating a trusted superior, partner or vendor and requesting money or change in payment account information • Devising a way to obtain money sent by victims
To do that, criminals use online tools and sophisticated techniques:
Email spoofing and website spoofing: Fraudsters use slight variations on legitimate addresses to create fake accounts that appear authentic, and then use a spoofing tool to direct email responses to accounts they control.
Spear phishing: Fraudsters send bogus emails that appear to be from a trusted sender and that prompt victims to reveal confidential information.
Malware: Fraudsters use malware to infiltrate company networks and gain access to victims’ passwords and financial information and email threads about billing and invoices. They use that information to make requests for fraudulent wire transfers appear to be routine.
How do scammers impersonate people?
Scammers use a variety of techniques to adopt a false identity. One is to put the name of a real person in the “From” line of an email, assuming that the recipient will not notice any differences in the domain name. A second way is to set up a domain name similar to that of a real company and create an email address that looks as if it is from the person they are impersonating. For example, an email such as firstname.lastname@example.org might be approximated as “email@example.com”, a domain name the criminals would have registered. A third is to get access to a real person’s email account through malware or phishing attacks or by purchasing them on the dark web. Then, they meticulously study the organization’s vendors and billing systems, the targeted executive’s style of email communication and even his or her travel schedule so they can time their scams for when the target is away to send a bogus email from the CEO to a targeted employee in the finance office requesting an immediate wire transfer to a trusted vendor, using an account number that is just slightly different.
Tips and best practices from the FBI on guarding against BEC fraud:
- Verify the authenticity of requests by speaking directly to the requesting executive in person or on the phone.
- Create intrusion detection system rules that flag emails with extensions that are similar to that of company email.
- Create an email rule to flag email communications where the “Reply” email address is different from the “From” email address shown.
- Color-code virtual correspondence so emails from employees/internal accounts are one color and emails from nonemployee/external accounts are another.
- Verify changes in vendor payment location by adding additional two-factor authentication such as a secondary sign-off by company personnel.
- Confirm requests for transfers of funds by using phone verification as part of a two-factor authentication; use previously known numbers, not the numbers provided in the email request.
- Carefully scrutinize all email requests for transfers of funds to determine if the requests are out of the ordinary.