Safeguarding our clients’ assets is critical to our work at UMB. Our teams have seen a rise in fraud attempts—particularly of a type called business email compromise (BEC). BEC is a type of phishing attempt in which the objective is to impersonate a trusted person and make a fraudulent request. For example, our team recently exchanged emails with a client and the client’s attorney about wire instructions for a planned disbursement. Unexpectedly, an email arrived—appearing to be from the client—with changes to the wire instructions. The sending email was exactly the same as our client’s except for the presence of the letter “j” instead of the letter “i.” We recognized the fraud attempt and alerted the parties.
Of companies that fell victim to fraud in 2023, 80% experienced business email compromise, according to the Association for Financial Professionals’ latest survey‡ on payments fraud and controls. That’s likely in part because this type of fraud has become more sophisticated—and even “professionalized”—in recent years. The FBI’s Internet Crime Complaint Center reports that BEC‡ is the top type of fraud by dollars lost.
About BEC and wire transfers
Most professionals have learned to identify suspicious links in emails, and email filters have gotten better at spotting and discarding emails likely sent with malicious intent. But in BEC schemes, links aren’t the problem. Rather, the focus in this fraud scheme is to find a way to impersonate a trusted decision maker.
One common example is perpetrators impersonating a company executive and sending an email “as” that executive requesting completion of a wire transfer. This and other approaches are social engineering, not malware or hacking. Criminals use deception to manipulate individuals into divulging confidential information or taking action to support fraudulent activity, by taking advantage of people’s desire to trust and want to help.
To maximize likelihood of success, perpetrators may conduct detailed research and extensive social engineering. They may know, for example, that your company is engaged in a particular project with a particular vendor. They may have gathered personal information about the company executive through prior attacks on the HR department—information that may help them create a request that perfectly mirrors genuine wiring instructions.
Sometimes, they may conduct an impersonation attempt from an email address that looks similar to the actual one. For example, during a hurried business day, many people would miss the difference between jane_doe@abc.om and jane_doe@abc.com. And that’s only if they’re looking for differences in the first place.
In other cases, the perpetrators conduct BEC scam attempts having hacked into an executive’s email account. At that point, they don’t need to spoof the look and feel of a legitimate email and attempt to mask its actual origin. Instead, they really “are” the executive and can make any decisions as that executive based on his or her level of privileges.
Put these sophisticated techniques together with dedicated, professionalized fraud operations, and the result is billions of dollars of actual financial losses to BECs.
Could a wire transfer request ‘from you’ be carried out?
Say a malicious actor has hacked your email and sent a request to your finance team to please wire funds to an existing vendor of yours, as the timetable on the project has been moved up and you’d like to have the vendor paid prior to your team’s onsite visit the next day. The amount requested for transfer is in line with other payments to this vendor.
Furthermore, say that “you” let your finance team know that you just received and are passing along new bank account details for the vendor, which, says your email, has changed for a plausible reason.
How certain are you that wire transfer request won’t be fulfilled? After all, it’s coming from your actual email address (no spoofing involved), includes no suspicious links and makes a request to pay an existing vendor that you may well have even had recent conversation about with these very finance professionals.
As BEC schemes become more sophisticated, you can’t simply rely on having a sharp eye. You must have well-established workflows and systems in place to question and catch changes.
What you can do to stay protected
The most important preventative measures against BEC are vigilance and awareness. Watch for red flags like urgency, use of personal rather than corporate emails, different domains, and unexpected aspects to email requests. Take time to verify requests.
Establish basic protective measures to help your organization avoid financial losses to scams of this kind. Here are some examples:
- Establish predefined payment instructions; never vary from those patterns unless changes are thoroughly verified.
- Strictly limit the number of employees in your organization who have the authority to approve and/or conduct wire transfers.
- Establish a protocol by which wire transfer requests sent by email are always validated by some other channel of communication or through a multi-factor authentication.
- Always verbally confirm any changes in payment instructions for a vendor using contact data on record that does not come from the email. Maintain a non-electronic list of contacts at these vendors who you know to be authorized to approve wire instruction change requests.
- Whenever contacted by a bank to verify the wire transfer, delay the transaction until additional verifications can be performed.
- Require dual approval for any wire transfer request involving:
- A dollar amount over a specific threshold
- Trading partners who have not been previously added to a list of approved trading partners to receive wire payments
- Any new trading partners
- New bank and/or account numbers for current trading partners
- Wire transfers to countries outside of the normal trading patterns
- Educate your employees on BEC and the steps they can take to minimize risk.
Finally, bank with partners you know. The bank payments team serving your organization should be familiar with your business and its normal patterns. That familiarity, together with diligent awareness and sophisticated fraud warning systems, helps protect you from a serious, rising threat.
Learn more about UMB Institutional Banking, which provides solutions for the entire institutional marketplace from community banks and municipalities, to some of the largest corporations, broker dealers and fund companies in the U.S.
When you click links marked with the “‡” symbol, you will leave UMB’s website and go to websites that are not controlled by or affiliated with UMB. We have provided these links for your convenience. However, we do not endorse or guarantee any products or services you may view on other sites. Other websites may not follow the same privacy policies and security procedures that UMB does, so please review their policies and procedures carefully.