Primary Source of Fraud: Business Email Comprise
Email communication plays a major role in how many businesses conduct their daily operations. Fraudsters continue to adapt their business email compromise (or “BEC”) schemes - and while they may target an entire organization, they often focus their efforts on Accounts Payable departments. According to the 2022 AFP Payments Fraud and Control Report, the number of organizations falling victim to BEC fraud has decreased in the last year but the number of organizations who’ve experienced financial loss due to BEC remained unchanged.
This type of fraud targets business emails authorizing various payments to accounts managed by criminals. The payments often appear to be legitimate transactions, making BEC difficult to identify. Businesses of all sizes are targeted and 68% of companies were targeted by BEC in 2021.
BEC Fraudster Tactics
Below are ways scammers infiltrate organizations:
- Unauthorized use of online meeting platform
Through social engineering and with the use of a legitimate business email account, fraudsters request fund transfers using a still image of an executive and “Deep Fake” audio. They might claim their video/audio isn’t working properly and then follow up via email or chat to request a fund transfer.
- Spoof an email account or website
In hopes the employee isn’t paying close attention, scammers will send an email from an address that is slightly different from a legitimate address. For example: abby@abccompany vs. abbey@abccompany – look out for email addresses using a capital I in place of a lower-case L or an “r n” in place of an “m”.
- Send spear phishing emails
These messages appear to be from a trusted sender to fool victims into releasing confidential information or clicking on an attachment with malware. This information is used by scammers to plan out BEC attacks.
- Use a compromised email account
Fraudsters will typically use compromised email accounts to send changes to the payment instructions to an organization in hopes the target will follow the new instructions.
- Use malware
Malicious software is used to obtain confidential information such as billing and invoices. The scammer then uses this information to time requests or to send messages so that accounts and financial officers don’t flag the requests. Malware can also give scammers undetected access to data such as passwords and financial accounts.
BEC Payment Targets
As wire transfers are being targeted less, ACH credits are now becoming a primary target of BEC fraud attacks. ACHs are low cost and quick to execute making them a great payment method for organizations. These reasons are also what attracts fraudsters.
Departments Under Attack
Although Accounts Payable departments are often the primary target for BEC attacks, other departments are still susceptible to BEC.
Protecting Your Business
Many companies are implementing procedures and controls to better safeguard their transactions from BEC. Below are just a few of the procedures companies reported using to limit their exposure:
Financial loss isn’t the only cost of a successful BEC attack, but the loss of confidential information could also cost the company their customer and/or vendor relationships.
Organizations identified a few key strategies they use to safeguard their payments:
Employing fraud mitigation best practices, products, and services such as Check and ACH Positive Pay, Commercial and/or Virtual Cards, account blocks, and more, can validate payments and stop fraudulent transactions.
Contact a banker today to discuss payment strategies that will better protect your business.
For more tips on how to protect your business from fraud, download the Fraud Best Practices Checklist here.
Source: Association for Financial Professionals: 2022 Payments Fraud and Control Survey Report
As with all serious financial topics or decisions, be sure to consult with a trusted financial advisor beforehand. The content here is for educational purposes only and is not meant to serve as any sort of advice or endorsement.