Thieves no longer enter businesses through an unlocked door; now, they just go straight to your inbox. According to the FBI, business email compromise (BEC) is one of the most financially damaging online crimes because employees are so reliant on email in our daily lives.
Here's how quickly it can happen: A business receives an email that appears to be from supplier they've worked with for years. The email goes to employees with transactional authority—accounts payable, check signers, authorized individuals—asking that funds be wired to settle an outstanding invoice. The email even includes a link to what looks like a very real invoice. When an employee clicks on the link to view the invoice, sensitive information is transmitted to the attackers or downloads malware onto the company's computer. A single click could lead to a significant loss for the company.
BEC is a sophisticated scam targeting companies that regularly perform wire transfer or ACH payments and/or work with foreign suppliers. The scam compromises legitimate business e-mail accounts to conduct unauthorized transfers of funds. Scammers can pose as:
- Your vendor, sending an invoice with updated bank account information for ACH payments.
- An established supplier, asking to be contacted at a different email address from all previous official correspondence.
- Your CEO or CFO, giving instructions to send a wire transfer.
"These scam techniques are not new, but they're getting more and more sophisticated," said Angela Gillespie, Bank Secrecy Act/Anti-Money Laundering officer at BOK Financial®. "We urge you to remain vigilant and remind your employees to pay attention to email details to help your company avoid fraud."
How to protect your company
Businesses should have in place a variety of manual and system controls to thwart BEC efforts if they make it into your employee inboxes.
- Establish out-of-band communication. Use an alternate form of communication other than email, such as a telephone call, to verify transactions over a pre-set dollar amount. Set up this verification process early in the business relationship using a method other than email.
- Standardize validation for payments and account changes. Establish with your customers and business partners how changes in account information will be communicated and validated. Also, confirm how you expect them to validate changes to your banking information.
- Confirm significant or out-of-pattern changes. Beware of sudden changes in business practices. Be especially wary if the requestor is pressing you to act quickly.
- Verify payment and purchase requests using a second method. Verify payment and purchase requests from within your company or from a vendor in person if possible or by calling the requestor to confirm legitimacy. You should also verify any change in an account number or payment procedures with the person making the request. Follow controls for the validation of new or revised payment information.
- Watch for contact information changes. If a vendor's payment location changes, that's a red flag. Be very suspicious if a vendor offers vague reasons for changes to a new account, such as tax audits or current events, e.g., "Due to COVID-19, we need to update our payment information…"
"You can never be too cautious with business email compromise," said Abdullah Aliya, fraud manager in the Financial Crimes Department at BOK Financial. "If something seems off, assume the worst. Do not click on anything unfamiliar or follow any new instructions without escalating your concern. Slowing down and investigating could save your company a lot of frustration down the road."
What to watch out for
- Emailed transaction instructions directing payment to a known beneficiary; however, the beneficiary's account information is different from what was previously used.
- Transaction instructions via email with directions to wire funds to a foreign bank account that has been documented in customer complaints as the destination of fraudulent transactions.
- Instructions to direct payment to an account without an established business relationship.
- Request for payment that is an amount that's inconsistent with typical payment patterns for that vendor.
- Emailed transaction instructions with markings, assertions or language designating the transaction request as "urgent," "secret," or "confidential."
Protecting your business
"Every business should have a BEC response plan in place," said Gillespie. "Established controls and employee training and quick reporting could increase the likelihood of stopping potential fraudsters or recovering losses."
If you suspect fraud, quickly engage your IT and information security teams to determine if there has been a network or email compromise. Then, notify your financial institution immediately.
For international wire transfers over $50,000, call your regional FBI office and local police within 72 hours. The FBI offers a Financial Fraud Kill Chain (FFKC) process to help recover large international wire transfers stolen from the United States.
Wire transfers outside of these thresholds should still be reported to law enforcement through the Internet Crime Compliant Center (IC3) at the FBI, but the FFKC cannot be utilized to return the fraudulent funds.
Learn more about BOK Financial's online security or call 844-517-3308 to report suspicious activity on accounts at BOK Financial. The Cybersecurity and Infrastructure Security Agency also keeps an up-to-date list of current threats.