BEC scams cost companies millions in fraudulent wire transfers.
It’s late on a Wednesday afternoon and Joe in finance receives an email from the CEO: “Just signed a contract with a new supplier. Please wire $150,000 to this account ASAP. Thanks.” A bank routing and account number are provided.
The CEO is out of town on business — Joe isn’t sure where or why — so he immediately sets about fulfilling the request. The CEO gets back in the office on Monday, and Joe goes to her office to acknowledge that he completed the wire transfer. But the shocked CEO says she never made the request. The email was fraudulent and scammers have made off with company funds.
In recent years, the FBI has issued multiple warnings about the Business Email Compromise (BEC) scam. This phishing scam comes in several forms. Hackers often “spoof” the emails of company executives, and ask employees to process wire transfers for confidential or time-sensitive business transactions. Or an executive or employee email account is hacked, allowing the attacker to fraudulently issue invoices on behalf of legitimate vendors and request wire transfers to the hacker’s bank accounts.
These and related scams have increased since same-day automated clearing house (ACH) payments became universally available on Sept. 23, 2016.Same-day ACH allows payments to be settled in hours rather than taking one or more business days. The immediacy of same-day ACH, and the high volume of payments, are appealing to hackers, who can take advantage of shorter payment windows by sneaking in fraudulent transfers before victims are aware what has happened.
Significant Losses
The stakes are high. In September 2019, Japanese media company Nikkei lost $29 million in a BEC scam, and Toyota lost $37 million. Over a two-year period, Lithuanian hacker Evaldas Rimasauskas stole more than $120 million in a BEC scheme. He was extradited to New York in August 2017 and sentenced to five years in prison on Dec. 19, 2019.
The FBI has documented more than 165,000 cases of BEC totaling more than $26 billion between June 2016 and July 2019. According to the Financial Crimes Enforcement Network of the U.S. Treasury Department, there were more than 1,100 BEC incidents per months in 2018, with losses exceeding $300 million per month. Proofpoint’s sixth annual State of the Phish report found that nearly 90 percent of global organizations surveyed were targeted with BEC attacks.
The unfortunate truth is that people fall for these and other phishing scams because hackers are getting much better at deception and persuasion, which is why people still fall for these and other scams. Furthermore, fraudulent wire transfers are hard to detect, and the money lost is extremely difficult to recover.
The fraud filters used by banks aren’t capable of evaluating all of the moving parts of such a scam — each individual transaction, account histories for both incoming and outgoing funds, the batches within a file, behavior associated with a particular file, etc. Although automated fraud detection systems are used, most monitoring of flagged transactions is still manual. Many attacks are automated and carried out by bots, and humans just can’t keep up.
The Value of Training
There is some good news, however. In the Proofpoint report, 75 percent of respondents said that security awareness training has resulted in measurable reductions in employees’ susceptibility to phishing attacks. This anecdotal data is supported by a significant increase in end-user email reporting, a critical metric for gauging positive employee behavior. Users reported more than 9 million suspicious emails in 2019, an increase of 67 percent over 2018.
The increase is a positive sign for IT security teams, given the trend toward more targeted, personalized attacks over bulk campaigns. Users need to be increasingly vigilant in order to identify sophisticated phishing lures, and use reporting mechanisms to alert IT teams to potentially dangerous emails that evade perimeter defenses.
In light of that, employee security awareness training can help organizations reduce the risk that they’ll fall victim to BEC, ransomware and other attacks. Organizations should also implement policies and procedures to prevent fraudulent wire transfers:
- Require strong authentication for logging into email, receiving payment information, and processing a request to change existing information.
- Confirm payment information by using a different communication channel instead of simply replying to an email.
- Provide clear instructions to business partners and vendors about the proper procedures for communicating payment information.
- Require employees to verify everything before initiating payment. A delay is far less costly than a transfer to a fraudulent account.
Organizations that suspect they’ve been victimized by wire transfer fraud should notify the sending and receiving banks and law enforcement immediately. They should also investigate their email system and encourage affected third parties to do the same.
