Make it your business to protect against Business Email Compromise
With so much at stake, it’s critical companies make Business Email Compromise (BEC) a priority and take active measures to help mitigate the risk.
Business Email Compromise (BEC) struck 80% of organizations in 2018, according to the 2019 AFP Payments Fraud & Control Survey, a lofty 16% increase since 2015. The meteoric rise of attacks is not the result of benign neglect at companies. The AFP study shows that organizations are working hard to raise employee awareness of the potential for BEC scams and to train them to detect fraudulent emails. However, criminals are getting better at their techniques in order to evade discovery despite intensified protective measures.
Increasingly sophisticated tactics of email attack
Fraudsters perpetrate BEC, also known as Email Account Compromise or EAC, by using a legitimate or spoofed business email account to request account and routing transit number changes that result in unauthorized transfers of funds. The emails often target individuals in organizations who are responsible for payments. Some of the email tactics include:
- Impersonating senior leaders, using spoofed email addresses that instruct a transfer of money to a fraudster’s bank account, or hacking into the emails of senior executives and using legitimate outlook accounts to communicate with potential victims.
- Pretending to be vendors and using authentic invoices to request payment to the criminal’s account.
- Posing as other third parties and asking for changes in bank account, payments instructions, and contact information.
- Acting like HR staff and directing employees to sign in to links.
- Requesting revised bank instructions or changes in payroll bank information.
Getting to the payment: wires and ACH hit
Wire payments remain the payment-method-of choice for BEC scams, with 43% of surveyed organizations reporting fraud. The AFP report notes that fraudsters have shifted to using BEC to target ACH transactions. One-third of organizations reported that fraudsters used BEC to access ACH credits. This supports the premise, the study concludes, that criminals are gaining access to the internal systems of organizations through account takeovers, which enables them to breach payment methods such as ACH long considered harder to reach.
Protective controls and technology-based detective measures
Increasingly organizations are ratcheting up internal controls, implementing policies and procedures and employing technologies to try and stay ahead of the fraudsters. Some of the protective measures being employed include:
- Policies that require verbal verification for changes to existing invoices, bank deposit information and contact information.
- Stronger internal controls that forbid payment initiation based on emails or other messaging systems deemed less secure.
- Two-factor authentication that may include phone verification as one of the two factors.
- Additional security layers for accessing corporate networks and payments initiation.
- Technologies for detecting and flagging emails with extensions that appear similar to a company’s email address.
Awareness is key to battling BEC
Companies are heightening efforts to raise employee awareness around email scans, train staff to detect phishing scams, and close off human vulnerabilities to fraud. They also are implementing new tools and technologies for detection, response, and the tracking of payment fraud events.
Despite these efforts, the cost of BEC affected more organizations in 2018, with 54% of organizations reporting financial losses, according to AFP survey respondents. Notably, this marks the first time since AFP began tracking the data that a majority of businesses suffered financial losses due to BEC attacks.
A pervasive and growing threat for companies small and large
No enterprise is safe from attack. According to the AFP survey’s findings, 57% of larger organizations (annual revenue of at least $1 billion) and 49% of smaller organizations (annual revenue less than $1 billion) suffered losses from BEC. In addition to financial loss, BEC fraud costs can also include reputational damage, theft of confidential information and require vast clean-up efforts.
For more information, contact your Wells Fargo treasury management representative.
1 2019 AFP® Payments Fraud and Control Survey
© 2019 Wells Fargo Bank, N.A. All rights reserved. Member FDIC.