In April 2016, I wrote about the work of the FBI’s Internet Crime Center (IC3) and the rise of reported cases of business email compromise (BEC) attempts. BEC involves what looks like a legitimate email from another employee or customer requesting a transfer of funds. Since I wrote that post, BEC attempts—both successful and prevented—have continued to increase dramatically. The latest figures from the IC3 website show that from January 2016 through June 2017, BEC attempts totaled $223 million, with losses at $148 million. BEC scams are also attracting a wider variety of criminals, including individuals, small gangs, and professional groups.
At first, the fraudsters primarily targeted financial institutions and businesses dealing in frequent and large-value transfers, such as law firms handling real estate or trust account transactions. But as fraudsters have proliferated, they've begun targeting companies of all sizes. Last May, the FBI issued another BEC alert, which includes useful descriptions of BEC scenarios based on actual cases.
The BEC attempt is usually not the start of the criminal activity but rather the culmination of an extended effort that began with the criminal hacking a business's financial records. The hack may have occurred when an employee opened an email with a bogus attachment or link that loaded malware on the computer, or when the criminal purchased a user's credentials off the dark web. Once the fraudster has accomplished the intrusion, a period of information gathering begins. The fraudster obtains current accounts payable records, wire transfer transactions, and transfer procedures, and may also comb social media for information that could be useful. Perhaps a targeted company official will be out of town attending a conference, or on vacation and difficult to contact.
BEC attempts generally have the following common elements:
- It is a funds transfer request.
- The request is based on a routine event or legitimate transaction.
- The bank account where the transfer is to be sent is new or has been modified in some way from previous transactions, or the requested method of payment is different.
- The request often carries a sense of urgency—late fees or breach of a contract are threatened—to encourage bypassing of controls.
To avoid falling into this trap, it is imperative that businesses have strong funds transfer controls that are monitored to ensure compliance. Also, businesses should have a continuing program of internal education (and perhaps testing) for all employees involved in funds transfer requests. The FBI suggests that the best control is to verify transactions through a second, independent means, similar to two-factor authentication.
There are several actions a business can take if it becomes a victim of BEC:
- Immediately contact the receiving financial institution to see if the funds can be frozen.
- Notify all relevant employees of the attack—multiple employees are often targeted.
- Contact the FBI or the Secret Service.
- Conduct an internal investigation to determine the point of compromise, and then take the necessary corrective action.
Finally, financial institutions with customer education programs should consider providing business customers with materials regarding this threat.
We are interested in hearing from you about your experiences with BEC and preventive practices. Criminals are constantly changing their attack methods and sharing information is a valuable way to help develop best practices.
By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed