According to recent cybercrime statistics, Business Email Compromise (BEC) has stolen more than $26 billion dollars from unsuspecting victims worldwide.1
While intercepting or re-directing a payment can happen through a variety of clever tactics, payments fraud generally comes about when a criminal lies about a situation in order to convince you (or your employees) to send money through a payment or transfer of some kind. The largest emerging threat on the payments fraud landscape right now is a scam called Business Email Compromise (BEC). Here’s what you need to know:
How Does it Work?
Say you’re the business owner or CEO/ CFO of a business (basically, someone with authority to send large amounts of money). A fraudster would get their hands on your email or other online credentials, then posing as you, send instructions to someone in your company to send a payment to a particular account.
Why Does it Work?
Criminals are detail-oriented and do their research. In an email, a fraudster will include details about team members and current projects — and even confidential projects — making the communication appear totally legitimate.
Tip: Training and education may be your strongest tools in protecting your business from potential fraud. Owners should develop strong security habits in both employees and themselves.
What are Some Common Variations?
Business Email Compromise takes a few different forms. Here are a few examples:
This is where a fraudster either hacks into the email of an owner, CEO or other high-ranking executive, or duplicates a domain so it appears an email is coming from the company’s highest ranks. They then send a fake email to request a financial transaction while the executive is travelling for business, typically asking to change routing information for an account or to make an out-of-the-ordinary deposit or transfer. Because the fraudster would have been monitoring email activity and would have done their research, they will often wait for the target to go out of town so that the email recipient can’t verify the request face-to-face. They will also include reasons for not following standard policy or for keeping a request secret: “I plan to make an announcement in the morning. Until then, please don’t tell anyone.”
Tip: Choose passwords that are difficult to guess. Do not share passwords across multiple internet profiles.
A Request for Payment from a Vendor
A fraudster posing as a vendor will email someone in accounts payable and tell them that their account details have changed — and can they please send payment to this new account number instead? Even if your company’s systems aren’t hacked, if your vendor’s email is compromised, a fraudulent request for redirection of funds can appear legitimate.
A lawyer impersonation — In a similar scam, a “fake” lawyer will request a fund transfer for a large transaction to a fraudulent account to settle a legal dispute or pay an overdue bill. The fraudster will convince their target that the transfer is confidential and time-sensitive, so it’s less likely that the employee will attempt to confirm if they should send the transfer.
Businesses using generic and free email accounts are commonly targeted and hacked by fraudsters to be able to send out legitimate emails from the email address unsuspecting to the business. Generic email accounts are monitored and hackers jump in at that right time to redirect a wire payment instruction or invoice payment details by signing into the business email account and submitting a modified email. The hacked email is immediately deleted from the sent items folder minimizing the chance of being detected until the payment is not received.
What Types of Businesses Are at Risk?
Businesses of all sizes have been targeted by Business Email Compromise, and it’s a scam that’s been reported in 80 countries.
While businesses working with foreign suppliers or those that regularly send wire transfers are the most vulnerable, fraudsters are flexible and can adjust their tactics to use other payment methods. So every business needs to treat email requests for funds with caution.
How Can I Protect My Company?
Business Email Compromise — or other variations of payments fraud — are often caused by human error as well as online systems and accounts that are hacked. There are strategies to boost your online security that can be easily implemented — but the most effective way to safeguard your business may be to train your staff/employees. These scams can start when fraudsters use a compromised e-mail and ask for payment accounts and phone numbers to be changed. Ultimately, it takes a person to send a transfer or payment.
Tip: Switch up your communication methods when it comes to verification.
- If a transfer request arrives via email, use a phone number you already have on file to verify the sender.
- Any changes in contact phone numbers should not be accepted by e-mail and be verified by phone.
- It is also recommended to avoid using generic email accounts and invest in an email account that provides stronger authentication methods.
- In all cases a good practice is to use strong passwords and change them periodically.
As hard as you’ve worked to build your business, you need to work just as hard to protect it, but you don’t have to do it alone. One of the steps is keeping a watch on your business’ cash flow. Contact your Relationship Manager to learn more about how we can help you monitor your accounts so you always know where your cash flow stands.
1 Latest FBI BEC stats.
This article is intended as general information only and is not to be relied upon as constituting legal, financial or other professional advice. A professional advisor should be consulted regarding your specific situation. Information presented is believed to be factual and up-to-date but we do not guarantee its accuracy and it should not be regarded as a complete analysis of the subjects discussed. All expressions of opinion reflect the judgment of the authors as of the date of publication and are subject to change. No endorsement of any third parties or their advice, opinions, information, products or services is expressly given or implied by Royal Bank of Canada or any of its affiliates.