As the coronavirus pandemic continues to cause turmoil and anguish across the globe, fraudsters are taking advantage. One type of fraud that has seen significant activity is the business email compromise (BEC) scam, noted PYMNTS.
According to the 2020 AFP Payments Fraud and Control Survey released last week, 61% of treasury and finance professionals who experienced attempted or actual payments fraud in 2019 reported BEC as the source. That’s likely to continue in 2020, as many businesses are stretched thin with essential employees working from home and others furloughed or laid off.
“In crisis situations, companies’ operations experience disruptions and fraudsters will take advantage if they can,” said Tom Hunt, AFP’s director of treasury services. “Even if your organization isn’t operating at full capacity, treasury and finance departments still need to be vigilant right now, because a mistake could be incredibly costly.”
Brad Deflin, CEO and founder of Total Digital Security and a frequent speaker at AFP events, said that companies should expect to see a surge in BEC fraud, as “attack conditions are optimal” for cybercriminals:
- Employees are working in unmanaged environments, rather than IT managed offices.
- Many employees are using unprotected and vulnerable devices and networks (personal technology on home internet networks).
- People generally are stressed, distracted and largely unaware of the risks and sophistication in BEC scams today.
Greg Litster, president and CEO of SAFEChecks and also a frequent AFP speaker, added that, with the current shelter-in-place recommendations being followed nearly nationwide, fraudsters have a huge opportunity. “Internal practices such as dual controls and the ability to speak face-to-face with colleagues to confirm payments are gone,” he said.
Criminals have already begun to take advantage of the current panic. Europol reported that a French pharmaceutical company transferred $7.25 million to a supposed supplier for the purchase of hand sanitizer and protective masks. The items were never received and after the money had been transferred, the supplier became unresponsive.
In actuality, a fraudster based in Singapore had spoofed the identity of a legitimate company and advertised fast delivery of the supplies. Fortunately, authorities in France and Singapore acted fast, blocking part of the payment, identifying the suspect and ultimately arresting him on March 25.
In a statement, Europol explained that fraudsters have been very quick to adapt common fraud schemes in an effort to capitalize on the panic that the pandemic has caused. “A large number of new or adapted fraud schemes can be expected to emerge over the coming weeks [as] fraudsters will attempt to capitalize further on the anxieties of people across Europe,” the agency said.
Additionally, on April 2, Australian police arrested two suspects for running a BEC scam syndicate that defrauded companies out of $2.6 million through fake invoices. Posing as legitimate suppliers, the syndicate targeted Australian companies in finance, property development, construction and other sectors between 2018 and early 2020. Australian businesses lost an estimated $60 million in 2018 to BEC, according to InfoSecurity.
BEC ON THE RISE
The AFP Fraud Survey found that 75% of all organizations were impacted by BEC in 2019, which was actually down five points from the year before. However, even before the coronavirus crisis hit, experts were warning of a potential surge in BEC.
In early November, Agari Cyber Intelligence Division (ACID) said in a statement that vendor email compromise (VEC) would pose a significant threat to companies in the following 12-18 months. “This type of attack (VEC) has been on the rise among BEC actors and is extremely difficult to detect,” said Crane Hassold, head of threat research at ACID. “The malign actors compromise the vendor/supplier email and lie in wait, watching messages flow through the email inbox and gaining valuable context.”
Vendor-based BEC scams have indeed been seeing an uptick, as noted in the 2019 AFP Payments Guide, After the Fact: How Treasurers Respond to Fraud. The more commonly known CFO/CEO fraud version of BEC has been less of a concern in recent years, as most treasury departments recognize it.
"VEC" scams, however, are more difficult to catch because they’re not one-off transactions in the way that the traditional CEO fraud scams are. “They’re making you believe that they are the supplier you deal with, and now they’re just trying to get you to update the data. It’s just a normal transaction,” said Larry Tolep, CTP, treasurer for Volkswagen Group of America. “You just send out a payment and you don’t even know there’s an issue. You’re not going to know unless the vendor contacts you at some point and says, ‘Hey, you’re 30 days late with your payment.’ And by that time, it’s too late.”
To protect your payments in this new paradigm, Litster of SAFEChecks recommends going back to basics and paying by check. This is of course isn't a long-term solution, as checks are the payment method most susceptible to fraud. However, they do provide a layer of protection that can help in the current crisis. “In today’s environment, the safest payment method is by check, not ACH,” he said. “This is true even if the checks are being printed without two people being present (dual controls). The critical issue is that the payee name on the check is the intended and correct payee name.”
If a company pays by ACH or wire and the funds are diverted, the money is typically gone. But if the company pays by check and the payment is diverted—or if a fraudster hacks a vendor’s email and sends a bogus change-of-bank-and-PO-Box notification—the endorsement on the back of the check will be forged. “Legally, a forged endorsement is the liability of the ‘bank of first deposit,’” Litster said. “The statute of limitations to charge back a check with a forged endorsement is three years, except in Florida and Georgia, where it is one year. You can absolutely get your money back.”
But for companies that are considering temporarily going back to check payments, it's important to implement the necessary fraud protections, like Positive Pay.
Deflin of Total Digital Security provided some tips for companies on securing their employees’ new working environments:
- Protect the devices used for business, even if it is an employee-owned device, with monitored and managed end-point security.
- Secure the local (home, home-office) network including a virtual private network (VPN) for outbound communications.
- Train the employees in anti-phishing and BEC fraud for great awareness and resiliency.
“The challenge is to accomplish this for decentralized working environments with holistic, integrated systems that are seamless for the worker and simple to administrate for the company,” Deflin added.
For more insights on BEC scams, download the 2020 AFP Payments Fraud and Control Survey, underwritten by J.P. Morgan.