Beware of Your Inbox as BEC Cybercrime Climbs

Business email compromise (BEC) scams target corporate email systems and exploit vulnerabilities in the wire transfer process. They’re a growing concern for accounts payables professionals, just as they start replacing paper with various forms of electronic payments in order to achieve more secure transactions. The irony—or perhaps the inevitability—is that fraudsters are also shifting their focus to the digital realm. Here’s a look into BEC scams and what AP departments can do to maintain safe payments.

How the BEC Scam Works

In short, a scammer sends an e-mail that looks like it’s coming from a trusted corporate executive to trick an employee into making an electronic payment to a fraudulent overseas account. Criminals commonly target companies that work with foreign partners or regularly make wire transfer payments—and they’re careful to use language and transaction amounts that sound legitimate.

According to insights on Lexology.com, the most “successful” scammers employ remarkably sophisticated tactics to perpetrate their crimes. While researching a target company’s activities and personnel, for instance, they explore the company website, press releases, and social media to find out who manages money and where they do business—and they’ll go so far as to hack into the company’s IT systems to get on the inside and uncover more details. Once they identify a fraud victim within the company, they may communicate them for days or weeks over e-mail or telephone before requesting an urgent wire transfer.

Why Wire Transfers are “Urgently Requested” By Scammers

In their white paper, Wire Transfer Fraud: Hidden Dangers in Every Transaction, international risk mitigation partners, Lowers & Associates, discuss the importance of maintaining stringent controls over the payment method that typically involves global movement of large sums of money. They consider the wire transfer process, whether manual or automated, particularly susceptible to fraud. They cite inadequate pre-employment screening for employees assigned to perform wire transfer duties, weak user authentication, the use of single-person controls, and untimely reconciliation as among the reasons for process vulnerability and fraud.

For wire transfers that rely on post payment review, fraud has already occurred by the time suspicion arises—and it can be a challenge to recover the funds. As soon as the money is transferred, the recipient can quickly withdraw or transfer it. It makes sense that wire payments are requested by these imposter executives. In fact, the Association for Financial Professionals’ 2016 Payments Fraud and Control Survey found that after checks, wire transfers were the second most popular vehicle for payments fraud, with 48% of organizations exposed. What’s more, 64% report that their organizations were exposed to BEC in 2015.

Just how extensive is this scam? As of mid-June, as reported on Reuters, the FBI estimates that hackers have attempted to steal over $3 billion from businesses via e-mail wire transfer scams since 2013—and have involved nearly 22,143 businesses across all 50 US states and at least 79 countries. Here are additional details:

• Most cases involved requests to transfer funds to banks in Hong Kong and China
• The FBI has seen a 1,300% increase in identified exposed losses since January 2015
• The size of losses vary widely from case to case, from about $10,000 to tens of millions of dollars.

PYMNTS.com explored this fast-growing phenomenon in April’s Fraudsters Bank Billions Via Corporate Email Scams.

Protecting A/P from BEC Scams

Accounts payable automation solution firm Avidexchange eBook called The Scary Truth About B2B Payments sheds additional light accounts on protecting against this form of payables fraud. Aside from following common sense—thinking twice before processing an “urgent” requests and always confirming transfer details with the vendor prior to processing payment—they recommend:

• Creating intrusion detection rules that flag suspect e-mails, such as those with .co extensions if your company uses .com
• Putting multiple people into the payments process to ensure that no one person has the ability to carry out a (fraudulent) payment
• Automating payments whenever possible to ensure strict business rules (i.e. pattern of permissions) are followed before potential fraud occurs

An option for more secure (and lower-cost) B2B payments processing is the virtual card number (VCN). VCNs are becoming a widely adopted digital alternative to wire transfer payments, especially for cross-border payments. The single-use numbers have built-in controls with respect to where and when payments can be made—and for how much. And since they use credit card networks, no banking information needs to be exchanged between the two parties in the transaction. The sender and receiver are also freed from the complicated set-up and fees associated with the traditional wire transfer. On the back end, each transaction yields rich remittance data allowing for efficient reconciliations.

Learn how Virtual Card Numbers Fight Payments Fraud in Business Travel