Fraudsters sought to steal $5.3 billion through business email compromise schemes from October 2013 through December 2016, according to data released by the FBI through its Internet Crime Complaint Center.
What Is Business Email Compromise?
Business email compromise, (BEC), is a sophisticated email scam that targets businesses to request unauthorized transfers of funds. The fraudsters carefully study their targets to request payments that align with the victim’s normal business practices. While wire transfers are the most common type of payments fraud associated with BEC, some victims have reported unknowingly paying the fraudsters by check or ach as well.
According to the FBI’s most recent data, any size business in any industry can be a victim. There appears to be no identifiable pattern for targets of BEC scams. Past victims range from small businesses to large corporations — and companies that deal in a wide variety of goods and services.
In addition to fraudulent payment requests via email, BEC scams have recently evolved to include email requests submitted to HR professionals for personally identifiable information (PII) or wage and W-2 forms for employees. These scams often occur during the U.S. tax season (January through April), with the ultimate goal of stealing employees’ identities to fraudulently apply for credit cards and loans.
The scams typically begin with an email that appears legitimate. Often fraudsters use names of company leaders or vendors that your business is familiar with, but the links and contact information within the email are connected to the scammers.
Common BEC Scam Scenarios
- Business Working with a Foreign Supplier: In this scenario, a business that has a long-standing relationship with a foreign supplier is asked to wire funds for invoice payment to a fraudulent account. Usually these wire requests are made via phone or email, closely mimicking a legitimate request that you’d typically receive from that supplier.
- Business Executive Receiving or Initiating a Wire Transfer Request: To achieve this scam, fraudsters hack into a business executive’s email account (such as a CEO or CFO) to send a wire transfer request to an employee who normally processes wire transfers. In many cases, the email requests that the wire transfer to go directly to the designated financial institution for a reason that appears valid.
- Business Contacts Receiving Fraudulent Correspondence Through Compromised Email: This situation involves fraudsters hacking into an employee’s personal email account that may be used for both business and personal emails. The hackers then use the employee’s personal email address to email multiple vendors from their contact list requesting payment to another bank account. Typically this type of BEC goes undetected until the business contacts the vendor to find out why an invoice has not yet been paid, when in reality the vendor already submitted payment to the hacker.
- Business Executive and Attorney Impersonation: For this scam, victims report being contacted by fraudsters claiming to be lawyers or representatives of law firms who request urgent and time-sensitive confidential information. Victims may be pressured to act quickly or in secret. Also, these requests typically occur toward the end of the business day or the end of the work week.
- Data Theft: This type of BEC scam first appeared just before the 2016 tax season. Similar to scenario 2 above, fraudsters hack into a business executive’s email to send fraudulent emails to company personnel who handle W-2s or have access to employees’ personally identifiable information. These fraudulent emails requests typically do not involve requests for wire transfers or payments; instead, the scammers request sensitive employee information that they then use to conduct other cybercrimes.
What is the best way to protect yourself?
Review your internal procedures on how you accept payment requests.
- Do NOT rely solely on email to either make payments or modify payment instructions.
- If you are going to send money to a business or change the payee and/or account number that you are sending money to, confirm that with an individual you know at that organization prior to making that change.
- Have a second person review any new payment instructions to help validate that its legitimate.