Business Email Compromise Defined
What is Business Email Compromise?
- Business E-mail Compromise, or BEC, is a sophisticated fraud scheme in which fraudsters compromise a legitimate e-mail address through social engineering or computer intrusion, and then use this e-mail to conduct unauthorized transfers.
- The compromised e-mail will often have the name or domain changed by one letter (e.g. firstname.lastname@example.org instead of email@example.com), or the actual e-mail account will mimicked by using a fraudulent forwarding e-mail address.
- Using malware, the fraudster may access previous e-mail correspondence within the organization in order to understand how wire requests are typically requested, and then mimic this protocol to complete the fraud.
Who is targeted?
Fraudsters will typically target businesses that regularly conduct international business, frequently send wires, or that have insufficient internal fraud controls.
The FBI’s Internet Crime Complaint Center (IC3) has seen a 136% increase in identified global exposed losses between December 2016 and May 2018.
The scam has been reported in all 50 states and in 150 countries. The majority of funds were sent to banks in China, Hong Kong, and the UK.
Between October 2013 and May 2018, over 41,000 domestic victims were identified, with losses totaling over $2.9 billion.
The CEO of a company has his or her e-mail spoofed or compromised, and using the CEO’s e-mail, the fraudster sends a wire request to the company’s CFO.
- The CFO, believing the request to be legitimate, contacts Boston Private and initiates a wire transfer; this is typically how wire transfers for this company are conducted.
- Per Bank policy, Boston Private conducts a callback and verifies the identity of the CFO. The CFO confirms with Boston Private that the wire is legitimate, and the wire is ultimately sent to a fraudulent bank account.
A business client regularly sends wire payments to a known and trusted vendor of theirs. However, unknown to the business, the vendor has had their e-mail address compromised.
- Upon access to the vendor’s e-mail, the fraudsters modify an invoice, and replace the vendor’s actual bank account with a fraudulent account.
- The business client’s CFO, believing they have received a routine and legitimate invoice from their vendor, contacts Boston Private to request a wire. Boston Private conducts a callback and verifies the identity of the CFO, and the wire is sent to a fraudulent bank account.
What to do if you think you are a victim
Contact Boston Private immediately upon concern you may be a victim. Working with your Private Banker, our fraud team will guide you through the necessary steps to secure your account.
How can BEC be prevented?
- Businesses should implement dual controls and • authorization for all payment processing (e.g., the CFO has to conduct a callback to the CEO for all outgoing transactions).
- Forward vs. Reply: Do not use the “Reply” option to respond to any business e-mails. Instead, use the “Forward” option and either type in the correct e-mail address or select it from the e-mail address book to • ensure the intended recipient’s correct e-mail address is used.
- Callbacks to vendors or business partners should be conducted with a telephone number on file, not a phone number provided in a possibly fraudulent e-mail.
Red Flags & Appropriate Controls
Red Flag: A known vendor suddenly supplies an invoice with a different bank account than they typically use, or an account located in a different country.
Control: Businesses should review all invoices and contact the vendor directly when there is a new account used.
Red Flag: A wire request is received and there is a high sense of urgency to send funds out, or the wire is requested to be sent “discreetly.”
Control: Even if the request appears legitimate and urgent, take the time to follow internal controls and conduct appropriate verification.
- Information Security & Fraud