BEC Scams: Why Treasury Is Still In the Danger Zone
- By Magnus Carlsson
- Published: 6/27/2016
Although business email compromise (BEC) scams have been going on for quite a while, many corporates are still in the danger zone from this type of fraud. So why are these seemingly simple scams so successful for criminals? The primary reason is that they play a psychological trick on the individual they are targeting.
I can actually relate to this myself. One day I received an email that appeared to come from AFP President and CEO Jim Kaitz with the following message:
“I will need you to do an electronic fund transfer (EFT) as soon as possible. Kindly get back to me, via e-mail for the beneficiary details.”
That was it! The email just requested a response from me in order to get the “beneficiary details”, which might seem harmless enough. But the curious thing about this is that even though I knew for sure our CEO would not send me this kind of email—mostly because I don’t have any kind of authority when it comes to actually making payments—I still felt a certain urge to help him out. Even though I work with this stuff and present it at various conferences, I didn’t just ignore it. I walked over to Jim’s office to let him know I had received this suspect email from what looked to be his authentic email address.
Of course he was out of the office that day—a textbook indication of a BEC scam. This is how elaborate these scams are. BEC scammers know the routines and schedules of their targets.
I contacted our IT department, who suggested hitting the reply button of the email. When doing so, without sending it mind you, the address that now appeared in the address line was to a completely different email. As I mentioned above, the sender address on the original email actually appeared exactly as Jim’s email address, something that is not always true with these scams as the email addresses often have one or two characters wrong. But hitting the reply to an email like this is actually a good way to determine whether it is fraudulent or not. It doesn’t solve all the problems but it is at least one simple step one can take to see if the email originates from the correct person.
So, why do we see such an uptick in these type of scams and why do almost 50 percent of them result in losses, according to the 2016 AFP Payments Fraud and Control Survey? The simple answer is because they work. As long as criminals can extract funds through a certain method, they will keep doing it.
A better question to ask is how treasury departments can prevent losses from these scams. To answer this question, it is important to first realize how the criminals work. When it comes to these sophisticated types of fraud, there is a lot more work and effort going into it. It’s not just about altering a stolen check or creating fake credit cards with magnetic stripes using stolen credentials. No, this type of fraud demands that criminals know their targets in detail, in order to create plausible emails, etc. To do this, they need to obtain information on their targets and build profiles. The idea is that, “if I know everything about you, I can ‘be’ you, and conduct business as ‘you’”.
What kind of information are we talking about? Well, all information can be used as pieces of a puzzle to build more or less complete profiles. Think about those emails that you printed out, or receipts from your work lunch, or anything else that exposes information on you or your company. Think about what is available on the company website. If you just add all this information together you will know how the target writes emails, what style he/she is using, when and where they go to lunch, the last four digits of their credit card, etc. Also, company websites and social media often reveal job titles and areas which the target works in. These are just some examples of exposed information. Add to that the possibility of the company being hit with some form of malware or phishing that can detect key strokes, passwords, etc. It’s pretty scary!
In order to protect your organization from BEC scams, one of the better solutions is to set up very clear internal procedures regarding generation, authorization and releasing of payments. For starters, email should never be used to initiate any kind of funds transfer. The internal policies must also be well known to the whole organization, or at least to the departments that are involved with funds transfers. Every employee, including the CEO and CFO must know these procedures and also be certain that everybody else knows them too. If there is a case when an emergency payment must be made, there should be a clear protocol for that as well. If everybody knows that no payments will be initiated through an email, it is easy to detect, dismiss and report fraudulent requests.
The term BEC fraud is spreading; more and more companies are becoming aware of the telltale signs of this particular scam. Nevertheless, organizations are still being fooled constantly. So while BEC fraud likely won’t last forever—criminals are always ready to move onto new methods once the old ones stop working—treasury needs to make sure its procedures are in place now to prevent any funds from walking out the door.
Magnus Carlsson is manager of treasury and payments for AFP.
For more tips on how to thwart BEC scams before they start, download AFP's latest Payments Guide. Trust, But Verify: How to Stop Business Email Compromise Attacks, Underwritten by MUFG Union Bank, is available here.
Copyright © 2017 Association for Financial Professionals, Inc.
All rights reserved.