Today, middle-market businesses have a wide array of cybersecurity tools and financial controls to help guard against payments fraud. But in recent years, thieves have devised several new and creative schemes to circumvent these defenses. One type of fraud that’s increasingly common, and especially challenging to detect, is the business email compromise (BEC) scam.
What Is It?
BEC scams, also known as “CEO fraud,” are sophisticated schemes targeting executives and managers in businesses that regularly work with foreign suppliers or other overseas partners. To perpetrate the scheme, a fraudster will either compromise an employee’s email account –through hacking or deception – or spoof the email address to make it appear the email is from an employee’s email account, then pose as the employee by emailing the business’s accounting department to “authorize” a payment to a foreign account.
Fraudsters also use BEC to gain access to sensitive, company-held information for other purposes. According to the Association for Financial Professionals’ 2017 Payments Fraud and Control Survey, nearly three-fourths of surveyed companies were targeted by this scheme last year, and the FBI reports this fraud has led to billions of dollars in losses.
How It Happens
BEC leverages “social engineering” – the use of psychological manipulation to cause others to perform an action or provide information for the fraudster. When a member of a business’s payables team receives an email payment request from an executive or department manager, he or she may not think twice about initiating an overseas payment. For many businesses targeted by BEC scams, such transfers are routine.
Who Is Targeted
From 2015 to 2016, AFP reports, there was a 10% increase in reported BEC attacks among surveyed companies. To limit the chances of detection, thieves commonly target larger businesses with a high number of payment accounts, but companies of all sizes, and in all industries, are susceptible. Businesses that frequently perform wire transfers are commonly targeted, but fraudsters may also attempt to trick accounting departments into submitting payments by check, credit card, or ACH transfer.
What You Can Do
As with all forms of fraud and cybertheft, preparation is key. A robust set of internal controls can greatly reduce the threat of payment fraud or other email-based scams. Even if your business hasn’t been targeted by a BEC scheme before, take these steps to help protect your business: