Written by Ruth Promislow, Katherine Rusk and Josh Foster
Between 2016 and 2019, Business Email Compromise (BEC) scams cost American organizations US$3.1 billion in losses and Canadian organizations US$33.6 million. This type of pervasive scam targets large and small businesses alike. In the United States, the frequency of BEC scams has tripled in the last three years with approximately 80 percent of businesses being targeted.
BEC scams can be difficult to identify and even harder to recover from. For this reason, understanding the common types of BEC scams and adopting strategies to protect your businesses from falling victim is imperative.
Below are some common forms of BEC scams and tips for your organization to protect itself against this fraud. There is no one-size-fits-all solution to resisting BEC scams, as your risk management strategy depends on your specific situation.
Despite the extensive exposure about BEC scams, companies continue to be routinely defrauded. Often, companies assume they are safe because they believe they have sufficient policies and safeguards in place, only to later find out there was a gap in their policy or there was insufficient training for relevant employees.
BEC Scams: What They Are and What Forms They Take
BEC scams aim to misdirect payments or transmittal of other things of value. Traditionally, BEC scams target employees of businesses and organizations authorized to wire money, pay accounts, or access otherwise confidential information. Posing as executives, vendors or suppliers, fraudsters typically correspond via email with an employee of the company attempting to exploit the employee’s capacity to access information or authorize certain transactions.
Vendor/Employee Account Change Requests
The most well-known BEC scam starts with an email from a known vendor or employee requesting to change their account payment details.
This scam email may come from the authentic email address associated with the vendor/employee (because the fraudster has infiltrated the vendor email account), or from an email account that is so similar to the authentic address that it is easy to miss the difference. It may be that the fraudster knows all the details about the upcoming vendor payment. Or the fraudster may know the name of the vendor representative and the particulars of the upcoming payment (because the fraudster has compromised the organization’s email accounts and has access to all those details).
The email may contain various hallmarks of authenticity:
- it may purport to come from the very person at the vendor who typically deals with your organization with respect to account payment matters;
- it may use the same type of language in the greeting or signature line as is used in the authentic correspondence from the vendor/employee; or
- it may attach a signed requisition form with a signature that matches the one you have on file; or it may attach a void cheque that has the proper vendor name.
Do not rely on any of these factors (alone or in combination) as a means for authenticating the change request.
Another type of BEC fraud involves an email that is purportedly from the CEO or some other senior executive directing the recipient to wire funds out to a third party on an urgent basis. A different version of this scam involves an email from the CEO/senior executive asking the recipient to purchase gift cards and send the gift card numbers by email to the CEO/senior executive, often on the purported basis that they are for a corporate event or an important client.
The same rule applies as set out above—do not rely on the usual hallmarks of authenticity to rely on the email request.
Key Steps to Protect Against the Scam
Having a written policy in place, and training your employees with respect to the policy, can help protect you against these scams. Steps you may take to verify if the account change request or wire transfer / gift card request is authentic include the following:
- The request (whether received by email or phone call) should be treated with suspicion.
- Contact a representative of the vendor with whom you have previously talked about account matters, at a number you have on file for them. It is not sufficient to receive a call from someone purporting to be the vendor representative, even if the voice sounds familiar. It is possible for the fraudster to fool your employee by pretending to be the vendor representative, and in any event, artificial intelligence can be used to mimic the voice of the known vendor representative.
- In the case of a request from an employee to change account information, contact the employee by phone at their internal line or speak with them in-person.
- In the case of the CEO request, contact him/her by phone at their known contact numbers.
- Do not call the vendor representative (or CEO/employee) at a number that is different from the one you have on file for them, regardless of whether they explain that they are travelling and can only be reached, for example, on their mobile or at a hotel number.
- Consider implementing a face-to-face confirmation method through Skype or other means.
- Consider implementing methods to detect forged sender emails and/or to confirm whether emails from a specific domain are submitted by an IP address authorized by that domain's administrator.
- Reduce the number of employees granted authorization to approve wire transfers or to make corporate purchases.
- Do not assume you have coverage for this risk simply because you believe your organization purchased “cyber insurance”. Cyber insurance policies can cover a variety of risks and you should understand the specific coverage you have.
- Implement measures to limit the ability of fraudsters to compromise your email system. Such measures include but are not limited to password policies requiring a sufficiently complex password that must be changed on a regular basis and multi-factor authentication to remotely access email accounts. Protecting against cyberattacks requires an extensive approach and one that is tailor-made—it is recommended that experts are retained to assist in developing an appropriate strategy.
Educating Employees About the Policy
Your policies to protect against BEC are only useful if all relevant employees are properly trained on them. Ensure that regular training is implemented and team discussions are held to review the protocol.
Further, your policies need to keep pace with the evolving landscape of threats. As hackers find new ways to trick people, you need to adjust your defence protocol. Review your policies regularly with experts to protect yourself against new scams.
Payments Due to Your Organization
Just as you do not want to have payments made to your vendors fraudulently diverted, you also do not want payments owing to your organization diverted. Advise your customers of the protocol they are to follow in the event they receive a purported request from your organization to change account payment details.
We recommend you seek advice on additional steps that your organization should take. For further information on how to protect against and respond to BEC scams, the Bennett Jones Privacy and Data Protection team is available to assist.