No organization is safe from the pervasive and persistent threat of Business Email Compromise (BEC) fraud. BEC struck three out of four organizations in 2020, according to the 2021 AFP® Payments Fraud and Control Survey Report.
“Of all payment fraud tactics, BEC attack was the most prevalent, with 62% of companies experiencing attempted or actual payments fraud1>/sup>“.
In BEC attacks, fraudsters send phishing emails that impersonate a company executive, vendor, or other trusted sources to attempt to deceive employees into making payments. Criminals continue to evolve their tactics; this includes using increasingly sophisticated techniques that make fraudulent emails appear to be authentic.
The majority of payments fraud attempts in 2020 originated via BEC attack, with 34% of companies experiencing a financial loss as a result of these scams, a slight decrease from 38% in 2019. “This result is likely due to enhanced employee training and stronger controls implemented as well as a decline in payment transactions due to the pandemic.”1
These findings suggest that organizations must maintain vigilance against BEC attacks in which fraudsters continue to morph their tactics to evade detection.
Vendor impersonation is on the rise
With imposter fraud, a criminal posing as a known payment partner requests a revision in bank instructions or a change to payroll bank information. While fraudsters have impersonated senior executives and payroll processors, there has been a large spike in the impersonation of vendors/payment partners. Some common attack methods include:
- Pretending to be vendors and using authentic invoices to request payment to the criminal’s account.
- Posing as other third parties and asking for changes in bank account, payments instructions, and contact information.
- Impersonating senior leaders, using spoofed email addresses that instruct a transfer of money to a fraudster’s bank account, or hacking into the emails of senior executives and using legitimate outlook accounts to communicate with potential victims.
- Acting like HR staff and directing employees to sign in to links.
Widening the net beyond treasury departments
BEC scams often target individuals and departments within organizations that are responsible for payments. In 2020, accounts payable departments accounted for 61% of targeted attacks, and treasury departments were the second-most vulnerable group. However, no part of an organization is safe as fraudsters also target their attacks at areas such as procurement/sourcing, human resources, and accounting, which may have fewer processes and controls in place to recognize and protect against attacks.
A shifting focus from wires to ACH payments
Many BEC attacks attempt to obtain payment by wire transfers, whereby immediate funds transfer makes payments nearly impossible to recover. Now criminals appear to be expanding their focus to ACH payments. In 2020, wire payments were the most targeted payment method for BEC scams, at 43%. However, ACH credits accounted for 34% of payments fraud attempts. The AFP study notes that the growing focus on ACH payments by fraudsters may be due to the heightened scrutiny around wire payments.
Companies of all sizes face BEC risk and potential losses
According to the AFP report, 77% of larger organizations (annual revenue of at least $1 billion) with more than 100 payment accounts were impacted by BEC in 2020, suggesting fraudsters are targeting larger organizations in the hope of a bigger payout. Companies of that size with fewer payment accounts, and smaller organizations (annual revenue less than $1 billion) were less affected.
Beyond financial costs, BEC poses the risk of reputational damage when an attack exposes personal and confidential data. This makes the imperative as strong as ever to protect your organization.
Education and training are critical to mitigating BEC attacks
Fewer organizations reported monetary losses due to BEC attacks in 2020, due in part to efforts by organizations to educate and train employees. Some of the efforts that organizations are actively making to protect against BEC attack include:
- End-user education and training
- Implementing policies to verify any changes to existing bank accounts, bank deposit information and contact details
- Confirming payment requests via call-backs to an authorized contact at the payee’s organization with a phone number from a system of record (and not contact information listed in the email)
- Adopting at least a two-factor authentication or other added layers of security for access to company network and payments initiation
- Instituting strong internal controls that prohibit payments initiation based on emails or other less secure messaging systems
The sophistication of fraud attempts, such as account takeovers, indicates that mitigation efforts must go beyond policies and controls to also include network security aimed at preventing criminals from accessing internal systems.
Employees need to be reminded that BEC attacks don’t always involve payments. When fraudsters request a transfer of fund, they also may be targeting personally identifiable information (PII) or employee W-2 forms, which contain information they can use to steal individuals’ identities, sensitive information, and tax refunds.
Fraudsters will continue to evolve their methods
Fraudsters know the red flags that organizations watch for. They are aware of how businesses are training employees to detect BEC and phishing scams.
Fraudsters use this knowledge in evolving their BEC attack tactics. That’s why, despite signs of success in the fight against BEC fraud, organizations need to remain vigilant and cannot let their guard down.
For more information, contact your Wells Fargo representative or fill out the Contact Us form on this site.
1. 2021 AFP® Payments Fraud and Control Survey Report.
All statistics are from the 2021 AFP® Payments Fraud and Control Survey Report.