Defend against business email compromise fraud—a new business as usual
As fraud schemes become more sophisticated, financial organizations can’t solely rely on having a sharp eye. Well-established workflows and systems must be in place ahead of time.
More than 81% of financial professionals in the U.S. reported their organizations were targets of fraud in 2019, according to the Association for Financial Professionals’ latest survey‡ on payments fraud and controls.
Nearly everyone is familiar with the term phishing. As commonly defined, phishing is sending an online message falsely claiming to be someone else, often including a request that the recipient take a detrimental action like downloading a malicious attachment or clicking a fraudulent link. Upon clicking or downloading the attachment, the attacker could gain access to sensitive data like login credentials and any privileges the victim holds.
Over time, most business people have learned to identify suspect links in emails. Also, email filters have gotten better at spotting and discarding emails likely sent with malicious intent. But unfortunately, perpetrators have also grown more sophisticated. A subtype of phishing that has been “professionalized” in recent years is business email compromise (BEC).
About BEC and wire transfers
Wire transfer fraud has become so prevalent that the FBI issued a public service announcement‡ regarding the issue. In this announcement, the FBI noted that this type of fraud has grown by more than 100% from June 2016 to July 2019, resulting in a loss of over $26 billion dollars.
In BEC schemes, there typically aren’t any malicious links at all. Rather, the objective is to find a way to impersonate a trusted decision maker. One common example is perpetrators impersonating a company executive and sending an email “as” that executive requesting completion of a wire transfer.
To maximize likelihood of success, perpetrators may conduct detailed research and extensive social engineering, They may know, for example, that your company is engaged in a particular project with a particular vendor. They may have gathered personal information about the company executive through prior attacks on the HR department—information that may help them create a request that perfectly mirrors genuine wiring instructions.
Sometimes, they may conduct an impersonation attempt from an email address that looks similar to the actual one. For example, in the course of a hurried business day, many people would miss the difference between email@example.com and firstname.lastname@example.org. And that’s only if they’re looking for differences in the first place.
In other cases, the perpetrators conduct BEC scam attempts having hacked into an executive’s email account. At that point, they don’t need to spoof the look and feel of a legitimate email and attempt to mask its actual origin. Rather, now they really “are” the executive and can make any decisions as that executive based on his or her level of privileges.
Put these sophisticated techniques together with dedicated, professionalized fraud operations, and the result is billions of dollars of actual financial losses to BECs.
Could a wire transfer request ‘from you’ be carried out?
Say a malicious actor has hacked your email and sent a request to your finance team to please wire funds to an existing vendor of yours, as the timetable on the project has been moved up and you’d like to have the vendor paid prior to your team’s onsite visit the next day. The amount requested for transfer is in line with other payments to this vendor.
Furthermore, say that “you” let your finance team know that you just received and are passing along new bank account details for the vendor, which, says your email, has changed for a plausible reason.
How certain are you that wire transfer request won’t be fulfilled? After all, it’s coming from your actual email address (no spoofing involved), includes no suspicious links and makes a request to pay an existing vendor that you may well have even had recent conversation about with these very finance professionals.
As BEC schemes become more sophisticated, you can’t rely on you or your people having a sharp eye. You must have well-established workflows and systems in place ahead of time.
What you can do to stay protected
Following are basic protective measures to help your organization avoid financial losses to scams of this kind.
- Establish predefined payment instructions; never vary from those patterns unless changes are thoroughly verified.
- Strictly limit the number of employees in your organization who have the authority to approve and/or conduct wire transfers.
- Establish a protocol by which wire transfer requests sent by email are always validated by some other channel of communication or through a multi-factor authentication.
- Always verbally conﬁrm any changes in payment instructions for a vendor using contact data on record that does not come from the email. Maintain a non-electronic list of contacts at these vendors who you know to be authorized to approve wire instruction change requests.
- Whenever contacted by a bank to verify the wire transfer, delay the transaction until additional verifications can be performed.
- Require dual approval for any wire transfer request involving:
- A dollar amount over a speciﬁc threshold
- Trading partners who have not been previously added to a list of approved trading partners to receive wire payments
- Any new trading partners
- New bank and/or account numbers for current trading partners
- Wire transfers to countries outside of the normal trading patterns
- Educate your employees on BEC and the steps they can take to minimize risk.
Finally, bank with partners you know. The bank payments team serving your organization should be familiar with your business and its normal patterns. That familiarity, together with diligent awareness and sophisticated fraud warning systems, helps protect you from a serious, rising threat.
Fraud is always a concern for businesses, but can be more so in this current environment. Read more about how to protect your company here.
Stay informed on industry trends and noteworthy company news by visiting our Industry News section on umb.com. Follow UMB on LinkedIn, Facebook‡ and Twitter‡ to see regular updates about our company, people and timely financial perspectives.
When you click links marked with the “‡” symbol, you will leave UMB’s website and go to websites that are not controlled by or affiliated with UMB. We have provided these links for your convenience. However, we do not endorse or guarantee any products or services you may view on other sites. Other websites may not follow the same privacy policies and security procedures that UMB does, so please review their policies and procedures carefully.
UMB Financial Corporation