How to protect your organization from fraudulent wire transfers and other payment scams.
Ransomware attacks tend to garner headlines, but there’s another threat that’s costing organizations billions of dollars. These are social engineering scams involving fraudulent wire transfers or data theft.
Known as business email compromise (BEC) fraud, these schemes often target employees who regularly perform wire-transfer payments, preying on their basic kindness and trust. BEC scammers typically assume the identity of the CEO, a company attorney or trusted vendor to request funds. By requesting electronic wire transfers instead of direct cash or credit card payment, the attack gains an air of legitimacy.
BEC scams take other forms as well. The attackers may spoof or gain access to a vendor’s email account and send fake invoices or payment requests to the vendor’s customers. In gift card scams, the attackers impersonate a company manager or executive and ask an employee to purchase gift cards and share the codes. Some BEC attacks are designed to steal intellectual property, financial records, customer data or other sensitive information.
Billions of Dollars in Losses
According to threat analysis by Abnormal Security, BEC attacks increased more than 81 percent in 2022. Microsoft Threat Intelligence detected and investigated 35 million BEC attempts between April 2022 and April 2023, with an average of 156,000 attempts daily.
Victims of BEC scams range from small businesses to large corporations. In fact, smaller businesses are often targeted because of the perception that they have fewer security controls in place. Of course, entities that frequently make wire transfers are prime targets. According to the FBI, the real estate industry is the most targeted sector, suffering losses of $2.7 billion to BEC scams. The Financial Crimes Enforcement Network found that 40 percent of these attacks impersonated title and closing companies.
Fraud involving electronic fund transfers across major settlement channels such as the Automated Clearing House (ACH) is rising because these transfers tax banks’ ability to check for fraud. Where banks once had two to five days to analyze these transactions, they now have only a few hours.
How BEC Attacks Work
Although techniques vary, attackers generally start by researching the organization to learn the names of individuals in leadership and those in finance, accounting or other employees who regularly manage money. This information can generally be found on social media. The attackers then use malware or phishing to steal the credentials of an executive’s email account, enabling them to send emails that appear to come from inside the organization. Then it’s a matter of creating a message that seems legitimate.
BEC emails can be difficult to detect, but there are some red flags that can point to an attack. Typically, the messages state that the wire transfer is urgent and requires confidentiality. They may include unexplained changes in wire instructions or account information, or unusual requests for advance payment. The attacker may use flattery or threats to coerce the victim into taking action.
Defending Against BEC Attacks
The best defense for combating social engineering attacks is to educate employees and implement procedural controls. The following recommendations can help improve your internal security measures:
- Use advanced identity protection. For organizations using Office 365, confirm you are using Microsoft Entra ID P2 in your domain. You only need one P2 license to enable these protections domain-wide. Entra ID P2 adds several enhanced security functions for identity protection, including risk-based conditional access (sign-in risk, user risk), authentication context (step-up authentication), device and application filters for conditional access, token protection, vulnerabilities and risky accounts, and risk event investigation. Additionally, Entra ID P2 extends authentication logging to 30 days, 90 days for risky logins, and unlimited time for risky users. Entra ID Free includes just seven days of logging.
- Establish verification policies and procedures with all employees who manage money and conduct wire transfers. They should always be suspicious of email requests and never fulfill them without verifying with the requestor through a different channel — either by phone, fax or in person.
- Educate executives as well. Company officials must understand that email requests for funds are strongly discouraged, will be met with suspicion and will require verification. Financial transaction security cannot be the sole responsibility of front-line employees.
- Focus on prevention. Establish policies for regularly updating passwords, with requirements that make them hard to crack. Make sure help desk and IT staff require verification before giving out forgotten passwords. Encourage everyone to secure or shred business-related documents.
- Establish a crime-response process. Contact your financial institution immediately if you believe you are the victim of wire-transfer fraud. Ask your institution to immediately contact the corresponding institution where the transfer was sent. Report the incident to the local FBI office, which may be able to freeze the funds. File an official complaint with the FBI’s Internet Crime Complaint Center.
BEC attacks serve as a reminder that it’s just as important to establish a “human firewall” through strong internal security policies and training. Organizations should implement regular security awareness training and ensure that the material covers BEC attacks.
