Defend against business email compromise fraud—a new business as usual
As fraud schemes become more sophisticated, financial organizations can’t solely rely on having a sharp eye. Well-established workflows and systems must be in place ahead of time.
More than 80 percent of financial professionals in the U.S. reported their organizations were targets of fraud, according to the Association for Financial Professionals’ latest survey‡ on payments fraud and controls.
Even more troubling, more than half of all organizations covered by the survey said they have experienced actual financial losses as a result of successful business email compromise schemes.
Nearly everyone is familiar with the term phishing. As commonly defined, phishing is sending an online message falsely claiming to be someone else, often including a request that the recipient take a detrimental action like downloading a malicious attachment or clicking a fraudulent link. Upon clicking or downloading the attachment, the attacker could gain access to sensitive data like login credentials and any privileges the victim holds.
Over time, most business people have learned to identify suspect links in emails. Also, email filters have gotten better at spotting and discarding emails likely sent with malicious intent. But unfortunately, perpetrators have also grown more sophisticated. A subtype of phishing that has been “professionalized” in recent years is business email compromise (BEC).
About BEC and wire transfers
Wire transfer fraud has become so prevalent that the FBI recently issued a public service announcement regarding the issue. In this announcement, the FBI noted that this type of fraud has grown by more than 100% each of the past three years and that firm losses in 2018 alone eclipsed $12 billion.
In BEC schemes, there typically aren’t any malicious links at all. Rather, the objective is to find a way to impersonate a trusted decision maker. One common example is perpetrators impersonating a company executive and sending an email “as” that executive requesting completion of a wire transfer.
To maximize likelihood of success, perpetrators may conduct detailed research and extensive social engineering, They may know, for example, that your company is engaged in a particular project with a particular vendor. They may have gathered personal information about the company executive through prior attacks on the HR department—information that may help them create a request that perfectly mirrors genuine wiring instructions.
Sometimes, they may conduct an impersonation attempt from an email address that looks similar to the actual one. For example, in the course of a hurried business day, many people would miss the difference between firstname.lastname@example.org and email@example.com. And that’s only if they’re looking for differences in the first place.
In other cases, the perpetrators conduct BEC scam attempts having hacked into an executive’s email account. At that point, they don’t need to spoof the look and feel of a legitimate email and attempt to mask its actual origin. Rather, now they really “are” the executive and can make any decisions as that executive based on his or her level of privileges.
Put these sophisticated techniques together with dedicated, professionalized fraud operations, and the result is billions of dollars of actual financial losses to BECs.
Following is a brief excerpt from a recent Wall Street Journal feature‡ on the rising dangers of BECs:
Many of the schemes are operated by groups in Lagos, Nigeria, some of whom work out of office parks, said Stephen Fullington, a supervisory special agent with the New York FBI who leads a team that works on business-email compromise cases. The groups have bosses who run the schemes and use a network of people that have learned various fraud techniques, he said.
Mr. Fullington recalled interviewing a Nigerian involved in an email scam. “He said, ‘You know how you guys play baseball when you are growing up? Here many of us learn fraud,’” Mr. Fullington said.
Gone are the days when a sloppily formatted email, not to mention an outlandish request from a “Nigerian prince,” was obviously fraudulent.
“Now the actors involved are a lot more sophisticated, and share intelligence and organized networks,” according to Michael Driscoll, special agent in charge of the cyber-and-counterintelligence division of the FBI’s New York office, as reported by the Wall Street Journal.
Could a wire transfer request ‘from you’ be carried out?
Say a malicious actor has hacked your email and sent a request to your finance team to please wire funds to an existing vendor of yours, as the timetable on the project has been moved up and you’d like to have the vendor paid prior to your team’s onsite visit the next day. The amount requested for transfer is in line with other payments to this vendor.
Furthermore, say that “you” let your finance team know that you just received and are passing along new bank account details for the vendor, which, says your email, has changed for a plausible reason.
How certain are you that wire transfer request won’t be fulfilled? After all, it’s coming from your actual email address (no spoofing involved), includes no suspicious links and makes a request to pay an existing vendor that you may well have even had recent conversation about with these very finance professionals.
As BEC schemes become more sophisticated, you can’t rely on you or your people having a sharp eye. You must have well-established workflows and systems in place ahead of time.
What you can do to stay protected
Following are basic protective measures to help your organization avoid financial losses to scams of this kind.
- Establish predefined payment instructions; never vary from those patterns unless changes are thoroughly verified.
- Strictly limit the number of employees in your organization who have the authority to approve and/or conduct wire transfers.
- Establish a protocol by which wire transfer requests sent by email are always validated by some other channel of communication or through a multi-factor authentication.
- Always verbally conﬁrm any changes in payment instructions for a vendor using contact data on record that does not come from the email. Maintain a non-electronic list of contacts at these vendors who you know to be authorized to approve wire instruction change requests.
- Whenever contacted by a bank to verify the wire transfer, delay the transaction until additional verifications can be performed.
- Require dual approval for any wire transfer request involving:
- A dollar amount over a speciﬁc threshold
- Trading partners who have not been previously added to a list of approved trading partners to receive wire payments
- Any new trading partners
- New bank and/or account numbers for current trading partners
- Wire transfers to countries outside of the normal trading patterns
- Educate your employees on BEC and the steps they can take to minimize risk.
Finally, bank with partners you know. The bank payments team serving your organization should be familiar with your business and its normal patterns. That familiarity, together with diligent awareness and sophisticated fraud warning systems, helps protect you from a serious, rising threat.
Learn more about UMB’s institutional banking services and offerings on our website.
UMB Financial Corporation