The Explosion of Business Email Compromise (BEC) Scams

The FBI recognizes at least six types of activity asBusiness Email Compromise (BEC) fraud. The types differ by who appears to be the email sender:

  1. The CEO directing the CFO to wire money to someone.
  2. Vendors or suppliers asking that invoice payment be made to a different bank account.
  3. Executives requesting copies of employee tax information such as W-2 forms in the U.S.
  4. Realtors, title companies or lawyers redirecting proceeds from sales of homes or other real estate into a new account.
  5. Senior employees seeking to have their pay deposited into a new bank account.
  6. An employer or clergyman appealing to the recipient to buy gift cards on their behalf.

Anatomy of a Business Email Compromise Fraud
There are essentially three steps to operating a BEC fraud.

  1. Fraud gangs need the names of people within an organization, their job function and their email username and password.
  2. They must send emails directly to people, impersonating a trusted superior or partner and seeking money.
  3. They need a way to obtain money sent by victims. Each of these are specialized functions, and fraud gangs may even hire third parties to help them with these efforts.
What can you do to protect your organization from BEC fraud?
All organizations face a serious risk of BEC fraud, and the fraud gangs are very smart and innovative. They need only succeed in a small number of their attempts to make this fraud profitable. And organizations that have not suffered a loss may believe the steps they have been taking are effective, even though the frauds are evolving and increasing.
Some businesses may be concerned that money spent on IT precautions is simply additional overhead. But BEC fraud prevention is just as important as door locks, fences and other efforts to protect physical assets.
However, we can’t rely solely on technology to prevent phishing emails. We need to learn how to recognize and avoid responding to them. Fortunately, there are several key steps that are free or cost very little and that will go a long way in preventing BEC fraud.
What should you do if your organization has lost money to a BEC fraud? If an organization finds that it has been a victim of a BEC fraud, it needs to immediately call its bank to stop the payment and report it to the FBI in the U.S. or the Canadian Anti-Fraud Centre in Canada. If a report is filed within 48 hours, there is a chance the money can be recovered. Complain to the FBI’s Internet Crime Complaint Center. IC3 also asks people to report unsuccessful BEC attempts as well. Information from attempts may help establish patterns or identify mule bank accounts.
Complain to the Canadian Anti-Fraud Centre: 1-888-495- 8501.
Report fraud to BBB Scam Tracker
Posted in