BEC: Recognize a scam

What is Business Email Compromise (BEC)?

Business email compromise (BEC) is defined as a sophisticated scam targeting businesses that regularly make payments. To help you recognize the characteristics of these threats, we explain two common variants — the CEO impersonation and the payment instruction switch.

Business email compromise (BEC) is an increasing menace to small, medium and large organizations across the globe. The two situations outlined below are fictional, but based on real-world events. 

Scenario one: The CEO impersonation

The most common variant of the BEC scam is the CEO impersonation.

The pre-event set-up

In preparation to target fictitious company, “Computercorp” for their next scheme, fraudsters:

• Perform an investigation to identify the management structure as well as key individuals within the company who are the most likely to process financial transactions.
• Use searches like Google and LinkedIn to identify key individuals such as the CEO (Judy Exec) and the Controller (Henry Ledger).
• Identify the email-naming format for the company through additional searches, and discover Judy Exec is on vacation through her social media account.
• Create a lookalike domain (cmputercorp.com) through an online marketing company that offers free trial domain registration and hosting. They then set up a lookalike email address for Judy Exec to use during the impersonation.
• Generate a PDF with payment instructions to an account they own.
   

The scam

The fraudsters initiate an email to the Computercorp controller, Henry Ledger, to begin the fraud scheme. They were able to procure a similar domain name to the one Computercorp uses. Notice below how the email is originated from fraudulent cmputercorp.com to a real employee at computercorp.com.

With this information in place, Henry hurries to initiate the wire transfer to the account in the payment instructions. Dual authorization is required. When the secondary approver calls Henry, he confirms that the request came directly from the CEO and is urgent. The secondary approver also approves the wire.

The money is sent to the fraudulent account.

The aftermath

Computercorp CEO Judy Exec returns from vacation. Henry sends her a note to confirm the allocation of the funds from the wire. Judy calls Henry immediately, claiming that she didn’t send instructions for a wire.

Henry contacts their bank to request a funds recall. The bank initiates the recall, but the funds moved from the fraudulent account and are no longer available. Next, Computercorp contacts their local FBI field office and reports the fraudulent event to the Internet Crime Complaint Center (IC3).

Because of this event, Computercorp strengthens their wire authorization controls by implementing callback procedures for all requested wire transactions.

Scenario two: The payment instruction switch

Another scenario involves fraudulently changing a known supplier’s payment instructions to divert funds to an account owned by criminals or their accomplices.

The pre-event set-up

An organized crime group targets fictitious company, “ABC Corp,” a U.S.-based global manufacturing company that makes frequent payments to foreign suppliers for goods and services. The crime group:

• Identifies an ABC Corp overseas supplier by the name of “XYZ Supply.”
• Compromises the email accounts of several XYZ Supply account reps who are using weak passwords on a web-based email system that has no secondary authentication.
• Searches through emails for payment requests to customers of XYZ Supply. Notices an invoice to ABC Corp for goods, with an additional request for goods to be invoiced in the near future.
   

The scam

The criminals email the supplier manager at ABC Corp using the most recent XYZ Supply email chain and request a change in payment instruction.

The email doesn’t raise an alert with the supplier manager, because it’s legitimately from the XYZ Supply email account.

The supplier manager updates the payment system with the new account information assuming the email request is legitimately from XYZ’s account representative.

ABC Corp receives the goods and makes a wire payment to the fraudulent account provided by the criminals.
 

The aftermath

The day after payment, the supplier manager at ABC Corp emails the account representative at XYZ Supply to notify them of the payment. The account representative responds that the wire wasn’t received.

The controller checks the outgoing wires report to confirm the wire. That’s when ABC Corp discovers the wire was sent to a fraudulent account. The controller at ABC Corp calls their bank to request a funds recall, but it’s too late. The funds are no longer available in the receiving account and can’t be recalled.

ABC Corp and XYZ Supply split the cost of the loss, and later implement additional controls around payment instruction changes including callback confirmation procedures. XYZ Supply also commits to implementing stronger security controls on their web-based email system, including multi-factor authentication.

Prevent these fictional BEC scenarios from becoming your reality

These scenarios depict situations that your organization can avoid by using stronger internal controls. In both of these BEC frauds, a phone call directly to the requestor using a verified number could have avoided the situation

Stronger controls around email must also be part of any security strategy. Keep in mind that traditional email isn’t a trusted communication mechanism when dealing with critical activities such as money movement.

While no single control or set of controls will prevent your organization from being a target, we suggest these five tips to prevent your organization from falling victim to BEC:

1. Confirm and verify email requests for fund transfers 
   Contact the requestor by phone using an independently obtained phone number or one that you already have on file. Pay special attention to transfers requested to new or recently updated accounts. Nearly all BEC scams can be stopped in their tracks if organizations adopt this basic control.
   
   
2. Use dual control for money movement activities
   Dual control allows for two levels of scrutiny and authorization to help stem the risk of illegitimate funds transfers.
   
   
3. Use multi-factor authentication for web-based email accounts
   Fraudsters may leverage actual accounts of executives with email credentials pilfered from spear phishing campaigns. Multi-factor authentication adds another layer of control to deter cyber crooks from accessing employee accounts. 
   
   
4. Communicate quickly when fraud or security events occur
   Notify your key banking partners and information security staff immediately if you suspect BEC. If appropriate, contact law enforcement and file a complaint with the FBI Internet Crime Complaint Center.
   
   
5. Create awareness within your organization
   Evaluate staff compliance with internal controls by using real-world security awareness testing. Finally, review your current payment controls to keep your organization safe from BEC.
    

For more on how to protect your organization from BEC, check out our fraud prevention checklist.

Business email scams are on the rise as more employees are working from home. Contact U.S. Bank for help with your fraud prevention plan.