In a Business Email Compromise (BEC) scheme, an employee in the accounting department receives an email from a trusted source. It could be from the CEO, the CFO or a long-time vendor. The email seems perfectly normal in format and the language is similar, if not identical, to previous emails of the same type. So, the accounting employee sends a large wire transfer to a new payee based on the email. The problem is, the email came from an outsider, a fraudster.
These types of fraud schemes, a form of “spear phishing attack,” appear to be on the rise. The FBI indicated that this type of fraud has cost global businesses over $1.2 billion since 2013. The average loss per scam was $130,000. Furthermore, since the wire was “voluntarily” sent by the accounting employee, some insurance companies are claiming insurance coverages are not triggered.
This fraud can be difficult to defend against, but improving business processes and educating employees can help.
- Institute verification procedures, such as a phone call to the requesting party’s valid business phone number. Do not use the number provided in the email.
- Verify any changes in vendor payment location by using a secondary sign-off by company personnel.
- For high-value transfers, require that the request be made in person.
- Educate employees to look for possible signs such as a reply-to address different from the return address.
- The FBI also recommends using the “Forward” function instead of “Reply” so you can type the email address of your contact and ensure that the correct address is being used.
In addition, IT personnel can install email security solutions to block known BEC-related malware from entering your system.