GIACT, the leader in helping companies positively identify and authenticate customers, announced a new report, Business Email Compromise: A Global Threat, detailing how well-organized cybercrime operations are evolving business email compromise (BEC) schemes. The report also details the diverse ways in which BEC is being committed as well as how businesses can proactively validate account information using real-time, diverse data sets, before a potentially fraudulent payment is disbursed.
BEC, defined as a fraud tactic using email to socially engineer an employee to install malware or unwittingly transfer/redirect funds into a fraud operator’s account, is an increasingly sophisticated and elusive fraud tactic. Today, targets of BEC go beyond inattentive employees not paying attention; fraud operators are using malware and other tactics to hack into email servers to enhance their traps and their ability to social engineer and target their victims.
“Business email compromise is a nearly $2 billion a year business, according to the FBI,” said Shirley Inscoe, Senior Analyst at Aite Group. “Fraud groups are becoming more organized and are deploying more sophisticated tactics. Malware, email account takeover, spear phishing and other advanced social engineering tactics have come into play, resulting in high-ticket losses. Businesses need to find ways to spot spoofed emails and requests as they come in as well as, importantly, to validate the receiver’s account information before payments are disbursed.”
BEC has increasingly become a major fraud issue in the US According to the FBI, there has been a 46% year-over-year uptick in reported cases. The Association for Financial Processionals (AFP), meanwhile, reported that in 2018, 80% of surveyed businesses reported being targeted by a BEC scam — up from 77% the year prior. And, for the first time, the AFP found that a majority of businesses surveyed (54%) admitted to being financially impacted by BEC.
“Given the advances in business email compromise tactics, the bottom line is this: anyone can be impersonated,” said David Barnhardt, Chief Experience Officer at GIACT. “To stop losses, businesses need to validate account information in real-time, before funds are ever sent. The only true way to do that is through robust account validation measures that go beyond simply confirming if an account is active. Businesses need to be actively validating and revalidating account status, payment history, triangulating ownerships and the consistency of personally identifiable information, among other things.”
