Businesses continue to fall victim to the business email compromise (BEC) scam, a financial cyberthreat that has resulted in billions of dollars of global losses. The FBI warns that companies and organizations of all sizes in different industries all over the world have been targets of the scheme, from well-known corporations and nonprofits to churches and school systems. Understanding and anticipating the scam can help prevent losses.
Ways the scam is perpetrated
Crime groups use a variety of sophisticated techniques to trick victims into making payments or sending wire transfers to them. They infiltrate a company’s network through phishing or a malware attack, which allows them to access financial account information and passwords and to study vendors, contact lists, billing systems and employee email communication styles. Scammers may then:
Hack an executive’s email and use it to send requests—for W-9 or personally identifiable information—to the chief financial officer, human resources, finance department, a bookkeeper, controller or accountant. The email tells the recipient that the information is necessary for “tax audit purposes.” The stolen data is then used to commit other forms of identity theft, such as filing fraudulent tax returns and applying for loans or credit cards.
Spoof or hack an executive’s email and use it to ask an employee responsible for processing wire transfer requests to send money to a trusted vendor, directing it to a fraudster- controlled bank account. In some cases, scammers request funds directly from a financial institution.
Mimic a supplier with whom a business has a long-standing relationship and ask to have funds for an invoice payment wired to a fraudster-controlled bank account.
Identify themselves as lawyers or representatives of a law firm and claim to be handling a time-sensitive or confidential matter. Communications at the end of the business day or workweek are timed to coincide with the close of business of international financial institutions so transactions will not be stopped.
Hack title, escrow or real estate companies to monitor real estate proceedings and target buyers, sellers, agents and lawyers for money. Buyers think they are wiring a down payment on a dream home but instead are sending their life savings to scammers.
Safeguarding your business
The FBI suggests that the easiest way to thwart BEC scams is to implement a two-step verification strategy for fund transfers or payments that does not rely on email. Company personnel should verify face-to-face or voice-to-voice that communications are indeed with a legitimate business associate. Require a secondary signoff by company personnel to verify changes in vendor bank account information or payment location. Here are other suggested protection methods:
- Educate company personnel about cybercrime and the intricacies of BEC scams.
- Implement two-step verification for email access, including for free web-based email.
- Register all business domain names that are slightly different from your company’s domain name and create rules for an intrusion detection system that flags email variations so scammers cannot, for example, use fraudulent xyz-company.com to imitate your business’s legitimate xyz_company.com.
- Pay attention to variations on a legitimate email address. For example, a scammer could imitate the legitimate email address email@example.com with the fraudulent email address firstname.lastname@example.org.
- Scrutinize financial email requests to determine if they are out of the ordinary. Stay updated on your customers’ habits, including the details and reasons behind payments.
- Create an email rule to flag communications where the “reply” address is different from the “from” address.
- Avoid posting company job duties or descriptions, hierarchal information, or out-of office details to social media. Scammers can use the information for BEC attacks.
Fight Back! Tip
If you are a victim: Act fast. If the fraud is not discovered quickly, money may be hard to recover because criminal groups use laundering techniques and money mules (typically romance and lottery scam victims) to make cash hard to trace.
Contact your financial institution immediately and ask it to contact the financial institution where money was sent.
Contact your local FBI office. The FBI may be able to help freeze or return the funds.
File a complaint with the FBI’s Internet Crime Complaint Center.