Business email compromise (BEC) scams continue to be the top fraud threat to corporate treasury and finance, as both the frequency of attempts and the dollar amounts stolen are increasing dramatically.

Just last week, Ubiquiti Networks, a San Jose-based networking technology firm, revealed in an SEC filing that it had been defrauded out of nearly $47 million.

The incident, which occurred in June, involved a fraudster impersonating an Ubiquiti employee and arranging $46.7 million wire transfer to Hong Kong. The company reached out to its Hong Kong subsidiary’s bank and managed to recover $8.1 million. Ubiquiti expects an additional $6.8 million to be recovered. The company is working with law enforcement to recover the rest of the money.

Ubiquiti added that it “may not be successful in obtaining insurance coverage for this loss.” This point is incredibly important for corporate treasurers—many companies today are making major investments in cyberinsurance, but they might not realize that BEC scams likely fall outside that coverage. “I learned from our insurance group that this isn’t covered as a fraudulent wire because we intentionally sent it,” a treasurer explained at the latest Association of Global Development Treasurers conference, held at the AFP offices in Bethesda, Md.

A payments fraud expert who works for a major bank noted that this is a common problem. “You’re accountable for that,” he said. “If your person hits that button, thinking they are legitimately doing it, you’re screwed.”

Therefore, treasurers would be wise to talk with their insurance providers and find out specifically what types of scams they are covered for.

Additional tips for treasurers

Another good tip for treasurers and CFO is to change their processes when they are out of the office. Sassan Parandeh, CTP, global treasurer of ChildFund, whose organization was resourceful enough to catch a BEC scam before it transferred any money, suggested that perhaps treasurers and CFOs should refrain from leaving an out-of-office message in Outlook. That way they will not be targeted by fraudsters looking for easy targets to impersonate via email.

The fraud expert suggested another approach—keeping out-of-office messages internal. “You can keep your out-of-office message from going externally,” he explained. “That way your internal team will know that you’re out of the office but criminals won’t.”  

In addition to impersonating absent employees, BEC scammers also will impersonate companies’ suppliers and send them new payment instructions so that a routine transfer will be sent to a new account. Another treasurer for a global development organization stressed that sometimes just a simple phone call can keep thousands or even millions of dollars from walking out the door. “When your vendors email you and say, ‘I have a new bank account, send it here instead of there,’ tell your AP ground to call them back,” she said. “Verify it. That’s something people aren’t doing.”