Magnus Carlsson, Manager, Treasury & Payments, AFP
Whenever I hear that a company has been defrauded by a business email compromise (BEC) scam, it leaves me scratching my head as to how this simple, avoidable scheme is still working. These scams, which are also frequently referred to as CEO fraud, have been in play pretty regularly now for the past two years, and they’ve been well reported on. At AFP, we’ve certainly tried to do our part, releasing both a Treasury in Practice guide and an AFP Payments guide on these scams in the past year. So why then, are people still falling for them?
The sad fact is that somehow, the message just isn’t getting across fast enough. Earlier this month, I was leading a presentation for about 30 practitioners, and when I asked how many of them knew what BEC scams were, only about four raised their hands. It stunned me that more people hadn’t heard about this fraud.
But perhaps this shouldn’t have come as a surprise. As we saw earlier this year in the results of the 2016 AFP Payments Fraud and Control Survey, 64 percent of respondents said their organizations were exposed to BEC scams. The surge in these scams was so dramatic that wire fraud, which is the typical vehicle for BEC scams, jumped from 27 to 48 percent year over year. So even though BEC scams have been in the news since 2014, we all need to do a better job of making organizations aware of what they are and how to stop them before they start.
What is a BEC scam?
Often called the top fraud threat to corporate treasury and finance, BEC scams typically target companies that make routine wire transfers to foreign suppliers and businesses. A company will generally receive and email requesting a transfer that appears to come from a high-ranking executive or a supplier. But that email is actually from a hacked or "spoofed" email account. If the recipient of the email believes the request to be legitimate and transfers the money, it's often nearly impossible to get it back.
BEC scammers are good at impersonating employees and suppliers because they usually begin by sending a phishing email to multiple employees months in advance. If one of the employees clicks on that email, it will grant the fraudster the ability to monitor that email account, where they can pick up on little details about the company's executives and suppliers so they can better impersonate them. Once the fraudster gathers enough information, they send an email to the appropriate party for the transfer request.
When impersonating a CEO or CFO, the BEC scammer will often pick a day that they know the real executive is out of the office. They will also usually imply in their email that the transfer is for some sort of urgent deal and will stress confidentiality, requesting that the email recipient not share this information with anyone. And employees frequently fall for this because they're afraid that if they push back at all against this high-ranking executive, their jobs could be in jeopardy.
Even AFP has been encountered BEC scams. Earlier this year, I received an email that appeared to be from our president and CEO Jim Kaitz, about making a payment. The email didn’t actually ask me to make a payment initially; it simply requested that I reply to the message so that it could send me the beneficiary information. So it was only a first step to develop some kind of trust between me and the other party. So I walked over to our CEO’s office to let him know I had received a suspicious email that look like if was from him, and of course he wasn’t there. So I hit “reply” on the message to see if our CEO’s email address came up. Sure enough, the reply was going to a completely different address.
How to prevent BEC scams
BEC scams aren’t an inherently difficult type of fraud to thwart. You just have to be ready and put in place certain protocols so that if you do receive an email request for a wire transfer, you can determine whether it is legitimate or not.
- Make sure that you can’t initiate a payment based solely on an email. If you really want to use email for sending payment instructions, you must follow it up with a phone call.
- Phone calls must be made to previously known numbers. If you are verifying payment instructions over the phone, make sure you call a number you already have on file and not one that was sent in the email.
- Implement dual authorization. Require that at least two employees sign off on any payment that goes out due to an email request.
- Make sure all staff members are on the same page. The CEO needs to be aware that an AP clerk will not, under any circumstances, send a payment based on nothing more than an email request. Executives need to be aware that lower-level employees must follow these protocols.
Following these simple steps can potentially save your organization millions of dollars. If you follow these protocols, BEC scams should no longer be an issue. The problem has been that companies haven’t been putting these measures in place, and the fraud has been allowed to slip through.