The following article was excerpted from the latest Payments Guide, underwritten by MUFG Union Bank.
One type of payments fraud that continues to evolve is business email compromise (BEC). When this scam first began making waves several years ago, it took a lot of companies by surprise. Since that time, treasurers have become very proactive in applying protocols to avoid this type of fraud. Yet this scam continues to work against even very prominent companies, largely due to the ingenuity of the fraudsters.
According to the 2019 AFP Payments Fraud and Control Survey, underwritten by J.P. Morgan, 58 percent of treasury and finance professionals reported that payments fraud at their companies came as a result of BEC scams. Furthermore, 80 percent of organizations experienced these scams in 2018, continuing an upward trend observed over the past four years.
The most common type of BEC scam is also known as CEO fraud, in which a fraudster spoofs an email from a high-ranking executive, instructing someone at the company to make an urgent payment. Though these scams are well known to treasury and AP departments, they’re still effective.
These scams still work, largely due to how impersonal office communications have become. Steven D'Antuono, Financial Crimes Section Chief for the FBI, insists that companies should have a policy in place in which someone in AP or treasury actually calls the individual who supposedly sent the email. “That’s how a lot of these BECs happen; it’s gotten so impersonal,” he said. “Back in the 1960s or 1970s, you’d just walk down to the CEO’s office and make sure they wanted this payment. But that personal approach is gone, and now these criminals have just taken advantage of that.”
In another sign of evolution, the methods that criminals are using to execute BEC scams appear to be changing in a surprising way. Although wire transfers remain the method most commonly used for BEC, wires were used against 43 percent of organizations last year—down from 54 percent in 2017. However, BEC scams targeting ACH credits surged from 12 percent in 2017 to 33 percent in 2018, according the AFP survey.
So what conclusions can we draw from this dramatic shift? The survey notes that this change may support the theory that more fraudsters are gaining access to internal systems though account takeovers and are using the data gathered to generate ACH files. Indeed, account takeovers also saw a sizable surge, jumping from 13 percent to 20 percent.
But this change in the method used may also be an indicator of several other things. First off, it could be a sign that fraudsters are evolving. BEC scams are known to nearly every organization out there right now. The telltale signs are obvious to most treasury departments, and many of them have put protocols in place to ensure that no one is sending a $50 million wire transfer to China, based on an email that supposedly came from the CEO. Although the survey revealed that the majority of BEC scams (81 percent) involved a fraudster impersonating a senior executive, fraudsters are also targeting routine vendors. Forty-four percent of respondents reported that criminals had impersonated vendors in emails, changing payment instructions that directed funds to their own accounts.
Additionally, the shift to ACH may be an indication that fraudsters are targeting domestic transactions, rather than international ones. While wires are used for most international transfers, the majority of ACH transactions occur domestically.
“We do a see a trend in money moving domestically, versus internationally,” said FBI Assistant Section Chief Aaron Seres. “Bad guys are always moving their operations to get around law enforcement actions. So typically, in the past, you would see everything go internationally. Now you’ll see a little of it going domestically and then internationally; there’s definitely some changing methodology in that regard in terms of ACH or any other type of payment fraud.”
The shift to domestic transactions could stem from the FBI getting better at clawing back money that was transferred internationally, D'Antuono noted. “We got very good at taking money away, because there is a lag,” he said. “So if it was reported quickly enough, we were able to pull that back.”
One might also assume that the individual dollar amounts of these fraudulent transactions are going down, but that does not appear to be the case. “We see fluctuations from $1,000 to $50,000 to more,” D'Antuono said. “The BEC real estate scams can be hundreds of thousands of dollars.”
Magnus Carlsson, manager of treasury and payments at AFP, has observed a recent spike in $2 million-plus transactions. “We also see that larger organizations have been targeted more over the past year,” he said. “I find it very interesting that ACH credits have seen such an uptick as a vehicle used for domestic BEC. You can’t hide behind the time difference and use that to your advantage. But I can see how you could request an ACH just so it wouldn’t raise any red flags. Because if you ask for a wire, typically that’s a red flag.”
Vendor BEC Uptick
Larry Tolep, CTP, treasurer for Volkswagen Group of American and a member of AFP’s Treasury Advisory Group, believes that the typical CFO/CEO fraud version of BEC has not been much of an issue as this scam has been circulated within the organization and people recognize it. “When you send out this email request to do something really strange—sending $1 million to an account in China—it’s going to get more scrutiny,” he said.
What continues to be a problem though is the supplier version. Volkswagen has been a target of a couple of these fraud attempts. ACH has been used for these payments.
“For our payments, we have master data inside of an accounting system,” Tolep said. “So when a payment comes, all the information on that vendor is already locked and loaded. So there will be a PO, the payment will be generated, and all of the information is already there. So a fraudster we think is a supplier will have communication back and forth. They build the relationship, and then they give the company new settlement instructions. And if we accept those settlement instructions, we’ll update the vendor master data. So if that request gets approved, it will be generated automatically with what is inside that system. So that has been, from a fraud perspective, an area of concern.”
These types of BEC scams are harder to catch because they’re not one-off transactions in the way that the traditional CEO fraud scams are. “They’re making you believe that they are the supplier you deal with, and now they’re just trying to get you to update the data. It’s just a normal transaction,” he said. “You just send out a payment and you don’t even know there’s an issue. You’re not going to know unless the vendor contacts you at some point and says, ‘Hey, you’re 30 days late with your payment.’ And by that time, it’s too late. So even though it’s an ACH, by the time you’re figuring it out, it could still be too late.”
Typically, by the time all this has been figured out, the fraudster has collected their money and closed the bank account. So when you go to the bank and try to claw the money back, the bank informs you that the money isn’t there anymore.
Tolep advises treasury departments who are hit with these types of scams to be very clear when going to their bank to inform them of what happened. “Tell them that there has been fraud,” he said. “As soon as you do that, it brings everything up to a much higher elevation at the bank and it makes them say, ‘We have to address it.’ That’s different than just saying, ‘I need to reverse an ACH that I paid out.’”
For more insights, download After the Fact: How Treasurers Can Respond to Fraud. And be sure to check out the Payments Track at AFP 2019.