Business email compromise (BEC) is defined as a sophisticated scam targeting businesses that regularly make payments. To help you recognize the characteristics of these threats, we explain two common variants — the CEO impersonation and the payment instruction switch.
Business email compromise (BEC) is an increasing menace to small, medium and large organizations across the globe. The two situations outlined below are fictional, but based on real-world events.
The most common variant of the BEC scam is the CEO impersonation.
In preparation to target fictitious company, “Computercorp” for their next scheme, fraudsters:
The fraudsters initiate an email to the Computercorp controller, Henry Ledger, to begin the fraud scheme. They were able to procure a similar domain name to the one Computercorp uses. Notice below how the email is originated from fraudulent cmputercorp.com to a real employee at computercorp.com.
Initial email from the fraudsters: From: Judy Exec <judy.exec@cmputercorp.com> To: Henry Ledger <henry.ledger@computercorp.com> Subject: Urgent payment Henry, What is the cutoff time for wires? I need to have this payment sent ASAP. <Attached: PaymentInstruction.pdf> -Judy Sent from My iPhone Response from the controller: From: Henry Ledger <henry.ledger@computercorp.com> To: Judy Exec <judy.exec@cmputercorp.com> Subject: Re: Urgent Payment Hi Judy, Wires must be processed prior to 2:00 PM PT. How should I code the transfer? -Henry From: Judy Exec <judy.exec@cmputercorp.com> To: Henry Ledger <henry.ledger@computercorp.com> Subject: Re: Urgent payment Please code to my admin for now. Thanks. -Judy Sent from My IPhone |
With this information in place, Henry hurries to initiate the wire transfer to the account in the payment instructions. Dual authorization is required. When the secondary approver calls Henry, he confirms that the request came directly from the CEO and is urgent. The secondary approver also approves the wire.
The money is sent to the fraudulent account.
The aftermath
Computercorp CEO Judy Exec returns from vacation. Henry sends her a note to confirm the allocation of the funds from the wire. Judy calls Henry immediately, claiming that she didn’t send instructions for a wire.
Henry contacts their bank to request a funds recall. The bank initiates the recall, but the funds moved from the fraudulent account and are no longer available. Next, Computercorp contacts their local FBI field office and reports the fraudulent event to the Internet Crime Complaint Center (IC3).
Because of this event, Computercorp strengthens their wire authorization controls by implementing callback procedures for all requested wire transactions.
Another scenario involves fraudulently changing a known supplier’s payment instructions to divert funds to an account owned by criminals or their accomplices.
An organized crime group targets fictitious company, “ABC Corp,” a U.S.-based global manufacturing company that makes frequent payments to foreign suppliers for goods and services. The crime group:
The criminals email the supplier manager at ABC Corp using the most recent XYZ Supply email chain and request a change in payment instruction.
The email doesn’t raise an alert with the supplier manager, because it’s legitimately from the XYZ Supply email account.
The supplier manager updates the payment system with the new account information assuming the email request is legitimately from XYZ’s account representative.
ABC Corp receives the goods and makes a wire payment to the fraudulent account provided by the criminals.
The day after payment, the supplier manager at ABC Corp emails the account representative at XYZ Supply to notify them of the payment. The account representative responds that the wire wasn’t received.
The controller checks the outgoing wires report to confirm the wire. That’s when ABC Corp discovers the wire was sent to a fraudulent account. The controller at ABC Corp calls their bank to request a funds recall, but it’s too late. The funds are no longer available in the receiving account and can’t be recalled.
ABC Corp and XYZ Supply split the cost of the loss, and later implement additional controls around payment instruction changes including callback confirmation procedures. XYZ Supply also commits to implementing stronger security controls on their web-based email system, including multi-factor authentication.
These scenarios depict situations that your organization can avoid by using stronger internal controls. In both of these BEC frauds, a phone call directly to the requestor using a verified number could have avoided the situation
Stronger controls around email must also be part of any security strategy. Keep in mind that traditional email isn’t a trusted communication mechanism when dealing with critical activities such as money movement.
While no single control or set of controls will prevent your organization from being a target, we suggest these five tips to prevent your organization from falling victim to BEC:
For more on how to protect your organization from BEC, check out our fraud prevention checklist.
Business email scams are on the rise as more employees are working from home. Contact U.S. Bank for help with your fraud prevention plan.
Related content