You may also be interested in:

Articles

BEC Scams: Why the Game Has Changed for Treasury

  • By Andrew Deichler
  • Published: 4/18/2016
ThinkstockPhotos-455235053The FBI's recent revelation that organizations have lost more than $2.3 billion from business email compromise (BEC) scams over the past three years should come as no surprise to treasury and finance professionals, who now see these scams as their number one fraud threat.

The alert, which came from the FBI’s Phoenix division, said that since January 2015, there has been a whopping 270 percent increase in identified victims and exposed losses from BEC scams (also known as CEO/CFO fraud and imposter fraud). Law enforcement has reportedly received complaints from victims in every U.S. state and 79 countries. Average losses in Arizona range from $25,000 to $75,000.

AFP has been following the rise in BEC scams for some time; the 2016 AFP Payments Fraud and Control Survey, underwritten by J.P. Morgan, revealed that 64 percent of organizations were exposed to BEC scams last year. Wire fraud also increased 27 percent from 2014—and BEC scams were likely the reason for the jump.

At this week’s TEXPO conference, AFP spoke with Craig Jeffery, managing partner at treasury and risk consulting firm Strategic Treasurer, on the BEC scam epidemic. His organization also recently completed a payments fraud survey of corporate treasury and finance professionals with Bottomline Technologies, and found that 77 percent of respondents said they’ve been hit with BEC scam attempts over the past two year, and 10 percent of them experienced losses as a result.

“A 10 percent success rate going against companies is pretty significant, especially with some of the losses being well over $1 million,” Jeffery said.
 
While check fraud is still the most prevalent threat out there, the magnitude of the losses from BEC scams is what makes them so much more significant, Jeffery noted. “If you look at some of the American Banking Association data, the loss from check fraud, year-to-year, ends up around $1,000 to $2,000. And if you look at some of the statistics for wire fraud related to business email compromise, it’s north of $130,000 per transaction. That’s a hundredfold difference. So that old adage, ‘Crime doesn’t pay’ isn’t true. Crime does pay. It certainly has been paying.”

Jeffery noted that BEC scammers are extremely patient; compromising emails, determining patterns and gauging additional information from other people in the organization takes time and effort. But once a fraudster has familiarized themselves with your company’s processes—once they know who authorizes wire transfers, who sends them, who is out of the office, etc.—it can be relatively easy to send a convincing email with an urgent wire request. “That’s why there’s been that multiyear uptick in this, that you’ve seen in your survey and we saw in ours,” he said.

How treasury can avoid BEC scams

Jeffery encourages treasury departments that he works with to be proactive and preventative when it comes to BEC scams. “Treasurers need to start being more offense-minded,” he said. “They have to recognize that the game has changed, and it is changing. Just like a three-point shot in basketball; these wire payments are paying off at a much higher level.

Jeffery advises treasury departments to perform tabletop exercises so that they know what to do when a BEC scam occurs. He is a proponent of practicing lockdown protocol—shutting things down when an incident starts to happen. Some companies are lockdown employee access; if an employee has been compromised, their employee ID will actually be shut off so that a criminal who is in their system can no longer access the network.

He also recommends using a separate machine for all treasury and payment activity. “People used to laugh about using a separate machine—they’re not laughing anymore,” he said. “They’re setting those up and keeping them separate from the network activity so they’re not exposed.”

Perhaps most importantly, Jeffery believes that treasury needs to implement a control framework, similar to the Control Objectives for Information and Related Technology (COBIT) framework for IT. The goal of such a framework is to categorize an organization’s internal controls to minimize risk. This has not been a huge focus for organizations until relatively recently.

For treasury, a control framework would look at the overall banking structure to not only determine where corporate cash is, but also establish procedures around it. “It would look at the account level controls and the transaction-level controls that an organization has—that’s one key pillar,” Jeffery said. “Another one has to do with visibility into what’s in my bank account—I need to see significant transactions today, and balances on accounts that are open for external transactions or payments. And then there’s monitoring—not only how we monitor our accounts, but how we monitor the activity and the access points of our systems.”

For further tips on how to recognize BEC scams and save your organization a lot of money, download AFP’s Treasury in Practice Guide, BEC Scams: Treasury’s Number One Fraud Threat, here. Also, be on the lookout for a new AFP Payments Security Guide on BEC scams, due out soon.
Decoding your Analysis Statements
August 22 - 23

Dive into the wealth of information contained in your bank account analysis statements. Discover the guidelines for account analysis statements, how electronic statements work, how AFP Service Codes could and should be assigned, and perform your very own crossbank comparisons.

Learn More

Copyright © 2018 Association for Financial Professionals, Inc.
All rights reserved.