This blog was originally published in July 2017 and has been updated to reflect up-to-date statistics and references.
Business Email Compromise (BEC) has become a big earner in the criminal world and a serious fraud threat for financial institutions (FIs) and their corporate customers.
It is a threat serious enough to prompt the FBI, in July 2018, to release an updated Public Service Announcement (PSA) regarding the continued growth and evolution of the crime.
What is Business Email Compromise?
BEC is a fraud scam that targets businesses, ranging from small to large corporations. As it has evolved it has taken on numerous forms. However, it typically involves a criminal either accessing or mimicking the email account of a high-ranking official at the business to instruct another member of the company to initiate a large transfer of funds, via wire, to an overseas location. Based on information collected by the Internet Crime Complaint Center (IC3), prominent wire transfer destinations have commonly included FIs in China and Hong Kong. While these remain the primary destinations, occurrences of FIs in the United Kingdom, Mexico and Turkey have also been on the rise.
While it is not necessarily clear how a victim is selected, the criminal(s) perpetrating the crime put a great deal of effort into studying their prey. This is a factor in what makes businesses a prime target as executive profile information is often shared on corporate web sites.
Special Agent Martin Licciardo, a veteran organized crime investigator at the FBI’s Washington Field Office, described BEC as “a serious threat on a global scale,” then elaborating the danger of its continued evolution. “And the criminal organizations that perpetrate these frauds are continually honing their techniques to exploit unsuspecting victims.”
What about Email Account Compromise (EAC)?
EAC is a close relative of BEC. The primary difference is criminals target individuals rather than businesses to initiate fraudulent wire transfers.
The continued prominence of BEC/EAC has led the IC3 to begin tracking the scams as a single crime type in 2017.
The IC3 reports that between December 2016 and May 2018, there was a 136% increase in identified global exposed losses due to BEC/EAC, with the scam being reported in all 50 states and in 150 countries.
Victim complaints reported to the IC3 from October 2013 to May 2018 indicate there were 41,058 U.S. victims, suffering nearly $3 Billion in exposed dollar loss. For the same period, domestic and international incidents totaled 78,617 victims, with an exposed dollar loss of over $12.5 Billion.
How it works
Criminals begin by conducting research on individuals, often in high level corporate positions. They utilize online sources of information, including LinkedIn profiles and profiles included on a company’s web site.
Once individuals are identified, the fraudster(s) will use targeted techniques such as spear phishing to gain access to corporate systems. With access to these systems, the fraudster will monitor and research how financial transactions are conducted before initiating their attack.
Next, the criminal will initiate an urgent and time sensitive request for a funds transfer from the manager/officer of the company whom they have profiled. The email, which appears to be from the manager/officer, instructs the receiver to urgently transfer significant funds to an account within the fraudster’s control (either directly or through a money mule), frequently located overseas. It is worth noting that criminals are adapting to new corporate controls to protect against BEC by requesting smaller domestic transfers instead.
Fraudsters often initiate their transfer request when the profiled manager/officer is unavailable (such as when on vacation or traveling) to reduce the ability of the person receiving the fraudulent email to verify the request.
Brian Krebs provides the details of a high-profile example of BEC, involving a Texas manufacturing firm that led to a $480K loss and subsequent court battle between the firm and its cyber insurer, at krebsonsecurity.com.
Four key indicators of BEC
So, what should fraud investigators at FIs look for to protect their customers (and the institution) from the dangers of BEC? Here are four key indicators:
- Large wire or funds transfer to a recipient the company has never dealt with in the past.
- Transfers initiated near the end of day (or cut-off windows) and/or before weekends or holidays.
- Receiving account does not have a history of receiving large funds transfers in the past.
- Receiving account is a personal account, whereas the company typically only sends wires to other businesses.
Four additional strategies for preventing BEC
In addition to watching for the indicators listed above, here are four strategies to help close your doors on BEC:
- Targeted training of key financial officers for your business and corporate clients.
- Callback procedures for certain fund transfer types.
- Training for internal staff (Account Managers, BSA, Fraud, Wire Room, etc.) to identify BEC.
- Detection systems that profile both sending and receiving accounts of a funds transfer to ensure the activity is typical for both parties.
For criminal organizations, BEC translates into big money for comparatively little work. As long as the potential exists to defraud your business customers, criminals will continue to evolve their techniques to avoid detection, and maximize their profits.
However, knowing the key indicators and having strategies in place to combat the crime, you can protect your customers from the potentially devastating impact of BEC.
To learn more about common fraud scams, including online loan, employment, lottery and BEC fraud, download our eBook, Understanding Fraud Schemes and Scams. Or, find out more about how Verafin can help your institution protect its customers from exploitation at the hands of fraudsters.