Formerly known as the “man in the email attack,” business email compromise (BEC) is a scam that takes control of a senior employee’s email account with the goal to command unauthorized financial transfers. This type of attack is different from classic phishing campaigns because it targets one specific individual and is highly personalized in this sense. Indeed, it requires a thorough search from the cyber criminal, starting with the company’s publicly available information, such as the CEO email address, to the most confidential information such as bills and contracts. In addition, it generally escapes security measures that detect phishing because there is no link embedded in the scamming email nor any attachment.
Many BEC attacks request wire transfers because most of the time, they cannot be cancelled. For example, a hacker starts to look for any sensitive information related to the CEO of a specific company and uses this information to get control of the CEO email account. From that account, the hacker searches for any invoice which is due soon and once he finds one, he sends a wire transfer request to the finance department, pretending that it is urgent and that the bank account has changed.
The hacker can amplify his story by giving arguments about the change, for instance by saying the supplying company was acquired by another entity, and the supplier of the company called him personally to make sure that the payment is on its way to the new account. The hacker can go even further by calling and pressuring staff in the finance department to make the request seem as real as possible. If the finance department doesn’t have any procedure in place to check the trustworthiness of the request before ordering the payment, the hacker gets the funds and there is almost no way to get them back if the company realizes it was a scam.
What Is the Financial Impact of Business Email Compromise?
BEC is a business threat because it can lead to significant financial losses. Between 2013 and 2015, there were over 22,000 BEC victims in 79 countries, with an average loss of $3.1 billion dollars. Most importantly, it appears BEC attacks are constantly growing and becoming more elaborate. The FBI estimated the growth to be 1,300% in 2015-2016.
How Can We Prevent BEC With a Secure Wire Transfer Procedure?
Secure wire transfer procedures are one of the key ways you can prevent BEC. Although the scammer can have email account access and/or personally identifiable information, employees following secure wire transfer procedures will stop most BEC scams targeting your business. Every company has the duty and the ability to develop procedures to address the growing BEC threat.
Here are six suggestions to help you secure your organization’s wire transfer process.
- Use a Secure Payment Method
Above all, your company should use a secure payment method. Different ways to do so are available depending on the budget and needs of your business. Examples are electronic signatures and accreditation of the transfer by a competent organization when the payment is made online.
- Verify All Payment Requests
Your financial department should follow-up on payments to ensure that they are done properly and sent to the appropriate bank accounts. The department should also verify client accounts on a regular basis. This helps monitor the security and the safety of the wire transfer process and detect possible breaches, so the company can quickly respond if needed. In addition, employees should confirm every wire transfer request and/or payment face-to-face whenever possible. This is particularly important in some specific situations, i.e., if the cybercriminal has control of a company email account or phone number.
- Note and Verify Any Account Changes Before Approving Transfers
When a wire transfer is requested with an email address and the email sender asks for payment changes, employees should verify the identity of the person. Hackers often ask for bank account information changes, as their aim is to receive the funds elsewhere. Therefore, the employee in charge of the transfer should contact a trusted person from the company requesting the changes (with a verified contact method) to check if these changes are genuine.
Similarly, when receiving a phone call from a supposed supplier asking for payment, the employee should verify the authenticity of the call, i.e., by calling the supplier using the phone number listed in the company directory. This is particularly important when the amount of funds involved is large. The finance department can put in place a procedure to allow different team members to check such changes independently and confirm with the client. At a higher level, the company can implement a procedure that requires two signatures from top management for any bank account change, as well as a confirmation call to the bank for large transfer requests.
- Balance Authorizations and Control Procedures
Even though your company should crosscheck payment requests and changes by involving at least two authorized employees, it is not recommended many individuals have such authorizations inside the company. In fact, it increases the risk of fraud since many employees can be a juicy target for cyber attacks. Therefore, you must make sure only a limited number of authorized employees can give approvals for payments and find the right balance between risk of exposure and adequate control measures.
- BEC Reporting Procedure
Your company should consider allocating the responsibility to report suspected scams to a specific department or responsible person. This department or person can then represent the company legally with external bodies and enforce action with the bank, for example, in an attempt to reverse payments when possible.
- Educate Employees About BEC & Transfer Approval Policies
Once secure procedures are developed, employees need to be trained. Any employee in direct contact with external parties should be not only be aware of the scam risks, but also how to mitigate them. For instance, the company can send reminder emails frequently about the tricks used by scammers, what makes a payment request suspicious, the company’s wire transfer control procedures and the contact person to whom to report suspicious requests. It is always good to remind employees that they will never be asked to go out of the scope covered by the company’s wire transfer control procedures to make an urgent or confidential payment, and inform them about the consequences on their job in case of non-compliance. Educational tools such as online courses and simulations are also strong ways to raise awareness among employees.
As the BEC problem grows globally, companies dealing with this kind of transfer should implement appropriate procedures to minimize the risk of financial loss. Different procedures exist to secure wire transfers. These procedures range from the most basic such as the use of secure methods, to more complex and broader ones such as verifying payment requests, implementing a reporting procedure and raising awareness among employees.