Find more insights on BEC Scams in AFP's latest Treasury in Practice Guide. DOWNLOAD
One of the issues keeping treasury up at night is a new version of payments fraud called business email compromise (BEC), in which intruders masquerade as the CFO/CEO and create emails in the hope of persuading authorized signers to issue electronic payments on their behalf. Due to the social engineered aspects of this type of scam, every area within a company, not just treasury, needs to be aware of this type of fraud to avoid being “phish bait”.
How BEC scams work
The scam starts with someone sending a phishing email to an employee. Once inside a company’s email system the scammer waits until certain facts are uncovered:
- When will senior management be out of the office?
- Who is responsible for preparing, reviewing and authorizing outgoing disbursements?
Once these simple facts are learned, the perpetrators pose as a senior manager (CEO, CFO, etc.) and send “urgent” emails to those in the disbursement chain.
Often these emails arrive late in the week or day, making it difficult to reach out to the supposed sender or even the bank. The objective of this scam is to get an authorized signor/sender to willingly release funds from the company’s bank. Often these requests stress that those receiving the email maintain secrecy.
For example, the controller for a multibillion dollar company received an email that looked like it came from the CFO, asking him to send an urgent wire to a beneficiary for a “secret” business purpose. Relatively speaking, the amount of the transfer was small. The email ended by thanking the controller for his help.
- The bad news: Someone had penetrated the company’s email system. Upon closer inspection the CFO’s email address was one character off.
- The good news: This attempt at scamming the company failed because the controller knew that the CFO never says “Thank you” in his emails. He took the extra time to confirm the content and purpose of the funds transfer request.
While this example ended happily enough, this type of scam requires an enterprise-wide solution to prevent a company from remaining vulnerable to this type of socially engineered scam. Issues to consider:
- Email security: Who has access to authorized email addresses and insuring only authorized email addresses can communicate to others in a company?
- Access to the internet: Why do employees continue to click on questionable emails?
- Proper documentation: Should emails serve as the only documentation required to disburse funds?
- Funds transfer authorizations: Who is allowed to prepare, review, and authorize disbursements?
- Bank liability: Banks have no liability in these situations, although they will often help to recover funds on a best efforts basis. After all, legitimate authorized individuals asked the bank for funds to be transferred.
- Use of bank accounts for disbursements: Does treasury maintain absolute control over all accounts at all banks, including those supposedly closed, and are “real” disbursements restricted to only a select few accounts?
- Authorized beneficiaries: Who are the approved recipients of a company’s funds?
As you seek to prevent your company from becoming phish bait, consider this simple two-part question: “Have we ever sent funds to this beneficiary at this bank account before?”
By asking this question you might stop this scam in its tracks. After all, the scammer is seeking to become a “legitimate” beneficiary of funds to be sent to a bank account that they control.
Unfortunately, asking this question maybe simple but the actions required by your company to phish proof itself may not be. Change will cut across organizational entities and their normal responsibilities. Also, think about the second part of the question above. A clever scammer can even masquerade as a legitimate supplier and direct your AP area to change previously approved banking instructions. Therefore, the next “legitimate” request from a previously approved beneficiary will go to a new bank account they control.
Action steps in 2016
While each company’s organizational structure and culture may present some unique challenges, consider the following as a starter set toward making your company phish proof.
- Secure your AP master vendor file. Most companies have thousands of vendors in their AP master file but few vet their vendors (i.e., we received an invoice; the “CFO” said it was ok to pay, let’s process and pay it). Fewer still are equipped to know which beneficiaries may be on a restricted “no fly” list (e.g., a list maintained by the Office of Foreign Asset Control or other regulatory bodies).
- Restrict disbursements to select bank accounts from your “preferred provider” banks. This action may result in a more centralized approach to disbursing funds but should restrict payments to only a few banks where transactions can be monitored daily, not just after the normal monthly bank reconcilement.
- Trust, but verify. Create a process that verifies the identities of both the sender and receiver of a funds transfer request. For electronic payments, comparison of requests received against highly secure and frequently verified authorizations lists can help. As appropriate, create a confirmation process when “strange” and “urgent” requests are received, say by using a different form of communication like voice to a trusted phone number.
Finally, look on the bright side. You now have an excuse to actually talk to your CFO, person to
Bruce Lynn, CTP, is managing partner, The FECG.