You may also be interested in:


BEC Scams: How Treasurers Can Stop Them Before They Begin

  • By Andrew Deichler
  • Published: 11/9/2015
BecscamlockBusiness email compromise (BEC) scams have become the top fraud threat to treasury and finance professionals. In a series of interviews for an upcoming AFP Treasury in Practice Guide, security experts provided insights on how corporate practitioners can stop BEC scams before they start.

How BEC scams occur

BEC scams often begin with a phishing email that gives a fraudster access to a company employee’s email account. Stu Sjouwerman, founder and CEO of IT security firm KnowBe4, explained that for an extended period of time—sometimes several months—the fraudster will monitor a compromised employee’s email and determine who initiates wires and who requests them. From there, they’ll either spoof an email or create a domain that’s close to the company that they are targeting. “The domain will look really close to the domain of that particular company and they’ll send an email from the CEO,” he said. “It looks like it’s totally real.”

The crux of the problem, explained Brad Deflin, president and co-founder of Total Digital Security, is the human element. Treasury and finance professionals need to be more aware of the telltale signs of these attacks, rather than simply hoping IT will catch any and all questionable emails. He advises treasurers to not only be vigilant while they are in the office, but also to have their guard up in their personal lives. Once people actually begin to think about things differently, they can better understand the threats.

For example, when you receive an email from one of your contacts, do you just accept that you are talking to that person? Do you know for sure that the person you’re communicating with is who they say they are? Even if you’re familiar with your contact’s writing style, remember—someone else could be familiar with that as well and could be copying them. This is the way treasury and finance professionals need to be thinking in the current threat environment.

Even Microsoft is a target

Richard Boscovich, assistant general counsel of Microsoft’s Digital Crimes Unit, provided AFP with a personal example of how closely fraudsters like these are monitoring your actions once they’re in your email. Several months ago, he traveled to Brazil to meet with several banks about security. The only people that were aware that he was traveling there were Microsoft, the company’s Brazilian subsidiary, and the banks themselves. Within 48 hours of arriving in Brazil, he began receiving targeted phishing attacks in Portuguese saying that his Bank of Brazil accounts needed to be updated. “I don’t have bank accounts in Brazil,” he said. “But look how quickly they knew. It shows you the level of sophistication.”

It’s not always email that clues BEC scammers in on your actions; fraudsters will use any outlet they have available to them. That’s why Boscovich warns financial professionals against putting too much personal information out there on social media sites. “If you have any employee who puts where they work on Facebook or even LinkedIn, you have to be careful,” he said. “If I post on LinkedIn that I’m going to be somewhere, I just assume that the bad guys are going to know where I am. But most people are not very attuned to that. And that’s the kind of information that they take, they’ll social engineer, and they’ll send you an email. Social media is one of the ways where you can find out just enough about a person—where they went to high school, where they went to college—and then create a phishing email and someone will fall for it.”

Supplier fraud

Of course, BEC scams don’t always consist of a fraudster impersonating a CEO or CFO. Fraudsters will also impersonate companies’ suppliers, sending them new payment instructions so that a routine transfer will be sent to a new account.

Sjouwerman acknowledged that there is a less awareness of supplier fraud than CEO fraud, and that is a major concern. If a fraudster is in your email system and knows the specific amount you regularly pay a supplier, when they impersonate that supplier and make a request for that amount from you, it’s less likely to set off a red flag. “It’s a quick hit to do the CEO scam,” he said. “It takes a little more work to send a fraudulent invoice. It’s a little more sophisticated, and it’s a little more below-the-radar. It’s not being given enough attention.”

Blockchain and Distributed Ledger Technology: Real World Utility and Applications

Wanting to learn how to incorporate blockchain into your treasury and finance function? In this AFP 2019 Pre-Conference Workshop you'll discover practical use cases for implementing distributed ledger technology.

Register for this valuable pre-conference workshop today.

Copyright © 2019 Association for Financial Professionals, Inc.
All rights reserved.