What is Business Email Compromise (BEC)?
Remember those 1990s horror movies, where the frightening call was coming … from inside the house?
Business Email Compromise, also known as BEC, is not so different. It’s when a fraudster compromises a legitimate business email account. Once the fraudster has access to a company email account, they use the seeming legitimacy of the email they’ve compromised to deceive someone within your organization. The fraudster’s ultimate goal is to get funds transferred to themselves – or to gain access to further sensitive data.
This sophisticated scam targets businesses of all types and sizes. It can be done through social engineering or computer hacking. And it’s depressingly common. Business Email Compromise attacks cost organizations an estimated $2.4 billion in losses in 2021, reports the FBI, which received a total of 19,954 complaints related to this threat.
What are the types of Business Email Compromise?
Broadly speaking, there are four categories of BEC.
- Simple Spoofs: This where the criminal adjusts an email address slightly (think changing .com to .net at the end, using 0 instead of O, or adding a 1 to the end of a name) and pretends to be a colleague. The criminal will often request an invoice be paid immediately, or need a password entered on their behalf because they’re stuck in meetings all day, or otherwise unable to access their computer.
- Account Takeover: This is when a criminal, through whatever means, has gained access to a colleague’s email account. The criminal will request a payment be sent, or forward an invoice that they want paid. An unsuspecting employee may simply follow instructions, especially if the compromised email address is from their superior.
- Supply Chain Spoof: Companies regularly pay suppliers. And it’s not that unusual for a supplier to follow up on an invoice, notice a contact of a new payment acceptance method, or something similar. Fraudsters take advantage: they pretend to be a supplier and route routine payments to their own bank account by instructing the recipient on a change to their billing process.
- Supply Long Con: Fraudsters sometimes compromise an account to watch invoices come and go for weeks or months, to get a sense of normal communications. Then they’ll insert themselves into the process and mention that a month in the future, their payment acceptance process will change. They’ll send a couple friendly follow-up reminders. The victim may appreciate the advance notice and think nothing of it … until they realize they’ve started sending money to a criminal.
What BEC red flags should you watch out for?
It’s all about social engineering – making you feel like you must deal with the email immediately or you’ll have issues. Fraudsters want to get you to act before you really think.
Unnecessary Urgency: Look out for any urgent or last-minute requests. Does something really need to be done today, or within the next few hours? Why is a normal process suddenly upended? This should be an immediate red flag.
Strange Phone Numbers: Some requests may try to have you contact a different phone number than the one you already know. That’s always a bad sign. Double check by calling the phone number you already know.
Lack of Availability: Would a colleague suddenly be unavailable and just ask you to take care of this “really important” issue for them? They may also say they are unavailable by phone. When does this ever happen? If someone is saying they’re unreachable, it probably means a fraudster doesn’t want you to double-check.
Secret and Confidential Requests: An uncharacteristic request for secrecy or confidentiality is a warning sign. The fraudster doesn't want the target to share the request because they might be warned of a scam. If something needs to be kept a secret, especially when it relates to money, you probably shouldn’t be doing it.
Using Formal Names: If your colleague typically uses Bob, Chris or Jim, why do they suddenly sign their email Robert, Christina or James? Immediate red flag.
Double-Check the Email Address: If anything seems *slightly* suspicious, double check the email address. Look for signs of a letter being used for a number or vice-versa, such as an "L" being substituted for a "1" or a zero for the letter O. Look for extra or missing letters within the email address. If you spot any of these, contact your IT department immediately. Do not respond!
Time of Day: Was the email sent during odd hours? If the email time and date stamp is in the middle of the night, that should give you pause. Similarly, if you receive a work email at 3am from a colleague you know works in your time zone, something is probably off.
Poor Grammar, Especially ‘Kindly’: Fraudsters often aren’t native English speakers. Pay attention to odd wording, such as the use of “kindly” in place of “please,” or an improper use of prepositions.
The Logic Test: Imagine an email from a long-time Hong Kong-based vendor requesting their payment be directed, not to their normal Hong Kong bank, but instead to a bank located in the UK. Why would a Hong Kong company use a bank in the UK? If something seems fishy, use known channels to confirm the request.
How can you protect yourself and your company from BEC?
BEC is ever evolving, so ensure employees are aware of BEC scams BEFORE they receive a questionable email. Have ongoing training in place and regularly review processes.
For example, implement and review policies to require verification of email requests for fund transfers. Use an alternate form of communication, such as phone or text, to contact the requester. And make sure that you’re using a known number – and NOT a number provided in the email.
Following best security practices can make a huge difference. If you don’t know where to begin, Old National has a Fraud Prevention Checklist to help you get started.
This will go a long way to protect your organization from loss associated with Business Email Compromise.
What if you think you’re a victim of fraud?
If you suspect your business email has been compromised:
- Immediately notify your other online banking users and urge them to not transmit any payments that were authorized by an email instruction.
- Implement dual approvals for ACH and wire transfers in your online banking platform, where available.
- Contact the financial institution(s) you use to send electronic payments to notify them of the compromise and to review recent payments for legitimacy.
If you find funds have been transferred to a fraudulent account, it is essential to act quickly.
- Immediately report the fraud to the financial institution(s) from which funds were fraudulently transferred.
- Request that your financial institution(s) contact the corresponding financial institution where the fraudulent transfer was sent.
- Contact your local Federal Bureau of Investigation (FBI) office if the wire is recent. The FBI, working with the U.S. Department of Treasury Financial Crimes Enforcement Network, might be able to help return or freeze the funds.
- File a complaint, regardless of dollar loss, with www.ic3.gov or, for BEC victims, bec.ic3.gov.
- It also pays to have a plan in place BEFORE a compromise. It’s called an incident response plan, and it can help you act quickly if you need – which can save you a lot of money.
Old National has an Incident Response Plan template to get you started.
What are some other recent fraud techniques?
One recent scam is called Multifactor Authentication Fatigue, or MFA Fatigue. According to Chris Perreira, Information Security Operations Manager at Old National, this is something that most major companies are keeping an eye on.
It works like this: a fraudster learns the username and password of an employee at a company. The fraudster then continually logs in, only to be blocked because they need to verify their identity via a confirmation on the user’s phone.
Seems like it should be safe, right? Not if the user gets 15 notices in 3 minutes, gets so frustrated that they just click “Yes” when they’re asked to verify their identity for the 15th time. Seems unlikely? Hackers got into Uber, Microsoft and Cisco this way!
Sometimes the fraudsters up their game, and pair the spamming of an employee with a fake email from that company’s fraud department, telling the employee it’s a known issue – and that they should just hit yes. If the employee follows the fake instructions, the fraudster is in!
Companies are taking steps to combat this: educating their employees, making the second step of the MFA more rigorous, and beefing up company passwords. (If passwords at the outset are more difficult to crack, there’s less chance a hacker would discover it and be able to begin spamming the victim.)
If you’re concerned about scams like these, it pays to work with your IT, banking and payment teams to develop comprehensive fraud reduction protocols. The connectedness of the business world makes commerce run smoothly – but it also means businesses need to stay vigilant.
Tim is Product Innovation Director, VP, for Old National Treasury Management. He has a background in sales, product and project management - specializing in treasury management solutions, merchant card processing, corporate cash and retail banking.