Across the financial industry, few scams are as notorious as Business Email Compromise (BEC), and for good reason. The Internet Crime Complaint Center (IC3) has announced that since 2013 losses attributed directly to BEC surpassed $50B, representing a nearly 6300% increase in stolen funds. In this special blog, our experts trace the lineage of BEC — its origins in a centuries old crime, evolution at the cost of billions of dollars and thousands of victims, and how a financial industry united through collaboration and technology can fight back and prevent a future billion-dollar fraud problem.
What is Business Email Compromise?
BEC is a form of authorized push payment (APP) scam where criminals gain access to legitimate corporate email accounts through social engineering or computer intrusion. Once the email account is compromised, the criminal impersonates the true owner of the account to request fund transfers, personally identifiable information (PII) or other valuables such tax documents and cryptocurrency wallets. Once obtained, the proceeds are typically laundered with help from witting or unwitting money mules. Yet, despite growing increasingly sophisticated in recent years, BEC relies on tried-and-true tricks to exploit the most vulnerable link in the security of an organization — its people.
Origins: The Birth of BEC
Scams leveraging social engineering date to the late 1700s and the “Prisoner Trick”, where a victim was convinced to pay an advanced fee for significant funds, investments, or gifts they would never receive. In the centuries to follow, criminals embraced the internet age, taking cues from this age-old scam and merging them with phishing tactics in the late 1990s to target business employees. Although these threats mirrored the scam we know today, the term BEC would not be coined until the 2010s, when the IC3 and FBI received initial reports of an emerging and evolving scam targeting businesses. With this, a new twist on a historic fraud challenge was born — one thriving on criminals’ use of collaboration and technology and benefiting from the slow progress of financial institutions to do the same.
“BEC is one of the fastest growing, most financially damaging internet-enabled crimes… BEC actors have targeted large and small companies and organizations in every U.S. state and more than 150 countries around the world.”
BEC was rapidly adopted by criminal syndicates such as Cosmic Lynx, and the success of these networks, combined with the ease and profitability of the scam, soon inspired copycat efforts around the world. The impact of this organized crime is evident in reporting from the IC3, with total domestic and international exposed dollar loss for BEC climbing by billions of dollars year over year, reaching $50B in 2022. According to the IC3’s most recent report, BEC was behind over $17B in cumulative U.S exposed dollar loss by that same year, touching the lives of more than 137K Americans.
In just a few short years, BEC has progressed from focusing on email spoofing and wire requests, to vendor impersonation, payroll diversion, demands for gift cards, COVID-19-related scams and more. Together, criminals have also been quick to abuse emerging technologies, such as cryptocurrency and artificial intelligence, to evolve BEC to be even more damaging. From direct and second hop transfer typologies designed to disguise activity on the blockchain, to tactics involving mass automation of attacks and deepfake phone calls, the potential for further loss is significant. The financial industry must respond in kind, by embracing approaches leveraging artificial intelligence and uniting through collective intelligence and collaborative frameworks.
Uniting Against a Historic Fraud Threat
Across the industry there has traditionally been a very siloed approach to financial crime detection, both within an enterprise and between institutions, hindering the ability to detect and prevent financial crime. Outdated technology such as on-premises, rules-based transaction monitoring systems and disconnected point solutions further contribute to the disparate nature of anti-financial crime efforts. Cunning criminals have exploited these industry-wide vulnerabilities to continue to grow their gains with BEC and other financial crimes.
By working together through a consortium approach, financial institutions can shut down suspicious payments often at the heart of many BEC attempts, such as fraudulent wire and ACH transfers, and proactively defend against future fraud challenges perpetrated by single bad actors, and transnational criminal organizations.
At Verafin, we combine the power of a consortium approach with behavioral evidence to provide industry-leading payments fraud prevention. Using insights from 2400 financial institutions and 420 million profiled accounts, Verafin’s consortium approach provides comprehensive insight into payment risk for commonly exploited channels — beyond the limitations of an individual institution and without sharing PII. Payments involving known accounts with a history of legitimate activity across the consortium are analyzed as lower risk, while transactions involving unrecognized accounts are analyzed as higher risk — representing potential mules or other accounts opened to facilitate fraud.
As crimes such as BEC continue to evolve, the financial industry must unite through consortium and intelligent analytics working in concert to decisively combat BEC and prevent a future billion-dollar fraud problem.
For more information on Verafin’s consortium approach to combating payments fraud, download our Product Brochure.