According to new research from TrendMicro, CFOs are targeted for business email compromise (BEC) more than any other finance professional, with nearly 19 percent of BEC scams aimed at them. Finance directors came in second at more than 7 percent, followed by finance managers (6 percent), finance controllers (6 percent) and accountants (4 percent).
U.S. corporates should particularly be on alert. Thirty-one percent of BEC scams so far in 2017 have been against companies in the United States, followed by Australia (27 percent), the UK (22 percent), Norway (5 percent) and Canada (3 percent).
What to watch for
The report also pinpointed which executives BEC scammers are impersonating or “spoofing” the most. Unsurprisingly, CEOs topped the list at 42 percent, followed by managing directors/directors (28 percent), presidents (7 percent), general managers/managers (6 percent) and chairmen (4 percent).
Based on random sampling of attacks, TrendMicro identified some words and phrases commonly used in these scams, such as “acquisition,” “Contract,” “Instructions,” “Invoice,” “Request,” and “Swift response needed.”
This aligns with one of the most important takeaways in AFP’s Treasury in Practice Guide on BEC scams: watch for urgent or secret requests, especially when they come from an executive that is absent. Fraudsters typically request a transfer for an acquisition, and stress that the payment needs to be made immediately. The request typically comes on a Thursday or Friday, or right before a holiday weekend when the company is short-staffed.
However, TrendMicro also observed a resurgence of the other method of BEC scam, in which the perpetrator impersonates a routine supplier rather than an employee. In these types of scams, they send an email with a fake invoice and instructions on where to send the payment (hint: it’s not the actual supplier’s account).
Preventing the threat
According to the FBI, global losses attributed to BEC scams since 2013 totaled $5.3 billion by May 2017. Fortunately, 70 percent of organizations have implemented controls to prevent these scams, The 2017 AFP Payments Fraud and Control Survey noted.
There are a number of ways to make sure that a questionable email request is valid, but the most obvious is to simply call the individual making the request and verify its authenticity. Do this every time a suppliers sends you an email request with new payment instructions. And don’t call a number provided to you in the email; use the number you have on file.
“When your vendors email you and say, ‘I have a new bank account, send it here instead of there,’ tell your AP to call them back,” said one treasurer. “Verify it. That’s something people aren’t doing.”
Another way to stop BEC scams, explained Greg Litster, president of SAFEChecks and AFP 2017 speaker, requiring two different computers and passwords to send money, with one of them being a computer that connects to the bank and nothing else. Only that dedicated bank computer can be used to release transfers. “For the release, you don’t want to use a computer you use for email, because you don’t know if your computer’s been hacked and the keystrokes are being monitored,” he said.
But while adding a computer that is only used for the bank connection sounds like a good idea, Magnus Carlsson, AFP’s manager of treasury and payments, noted that it’s not a practice that is typically used in treasury departments. “In my own experience, the AP personnel used their workstations to initiate payments, but they also had security devices such as login boxes they had to use to connect to the banks,” he said. “But the security set-up is of course different depending on what systems and banks you are using.”
Tom Hunt, director of treasury services for AFP, agreed. “I think this is the ideal situation, but in practice it rarely occurs,” he said.
Don’t miss Greg Litster’s session at AFP 2017, BEC Scams and Mobile Banking Fraud: The Wild, Wild West of Financial Fraud. Register here.