Fraudsters will take advantage of any opportunity to scam unsuspecting individuals and businesses out of their money, and the COVID-19 crisis is no exception. The level of disruption caused by the pandemic itself, as well as the response to the pandemic, is unprecedented. With social distancing and stay at home orders in effect across the country, businesses have temporarily closed their offices and everyone who can is working from home.
These new working conditions were thrust upon companies and their employees with little warning. Without enough time to make the necessary accommodations, internal controls and security were compromised, providing fertile grounds for criminals to prey upon companies with a myriad of scams, including business email compromised attacks.
To discuss business email compromised (BEC) attacks and how businesses can better protect themselves amidst the COVID-19 pandemic, PaymentsJournal sat down with David Barnhardt, Chief Experience Officer at GIACT and Tim Sloane, VP Payments Innovationat Mercator Advisory Group.
What are BEC Attacks?
BEC, or business email compromised attacks, are sophisticated schemes that infiltrate businesses via email with a request targeting individuals with access and authority over company funds. Scammers may ask a controller, or someone in accounts payable, to change the name, account number, address, or other payment instructions of a supplier or someone else that the company owes, allowing the criminals to intercept the funds.
These communications are very deceptively designed. Emails typically come from an address that looks very similar to an address of someone that is known to the recipient, perhaps changing only one letter or character. For an employee who doesn’t notice the altered email address, the payment change request can appear to be legitimate.
BEC attacks are not petty theft. According to the latest statistics from the FBI, 80% of surveyed businesses reported being targeted by a BEC scam, 54% of businesses admitted to being financially impacted by BEC, and roughly $2 billion is lost every year.
A well-publicized example of BEC fraud was the Ubiquity theft that amounted to a loss of $46 million. Con artists sent an email to the new CFO that appeared to have been sent from the CEO. The email stated that the CFO should expect a call from the company’s lawyers regarding an acquisition. When the fraud operators called, pretending to be the lawyers, they were able to con the CFO into making several wire transfers.
BEC fraudsters use a range of tactics, from simple phishing schemes to more complex targeted attacks. Once they get into the system, they research your email history, who you email, and who the accounts receivable and accounts payable contacts are. They can mimic an email’s format, tone, and content, including signatures and company logos. Then they can use this information to lure their targets into opening emails, clicking on links, and ultimately redirecting funds. Some of the most sophisticated schemes involve using AI technology to mimic someone’s voice, perhaps the department head or company CEO, to create a convincing voicemail message or engage in a persuasive phone conversation.
3 Step Approach to Scam Prevention
“It all starts with the right tools and detecting critical pieces of information,” says Barnhardt.
There are a lot of valid requests for changes in payment, which makes it easy for scammers to sneak their requests in without raising any red flags. Given the degree of sophistication used, it can be very difficult for employees to recognize the scams. Companies risk falling victim to scammers if they don’t take the time to evaluate all requests thoroughly by verifying three critical pieces of information:
- Verify the incoming address or phone numbers, depending on the method of contact.
Verifying the source of the email or phoned in request can be as easy as picking up the phone and calling a verified phone number that you can look up in real time.
- Verify payment account information on every single payment.
“Robust account validation goes beyond simply confirming if an account is open and valid,” explained Barnhardt, “businesses need to be able to run all their payments against a stricter validation process, which includes the status of the account, the account ownership, is this account in your customer’s account, or are those signers authorized to transact on that account.”
- Verify the identity of the person and company that is requesting the change.
This includes checking identity records on the business including name, address, phone number, email address domain and then verifying that the specific email address is a valid corporate address.
Having the right tools in place to verify information is a critical component of fraud prevention. GIACT provides the proper tools for verification along with their expertise in fraud prevention to help assess and improve security within a company. Beyond training employees to be on the lookout for suspicious activity, Barnhardt suggested “white hat testing” wherein an ethical hacker is hired by the company to try find weaknesses and improve security to protect the company.
GIACT’s account verification process is fast and efficient. Users send a routing transit account number, name, and address for the account. GIACT reaches out to the financial institution in real time to validate that the account is in fact open and that it does indeed belong to the person or company with whom the user intends to conduct business.
The financial institution checks to see if the information provided matches their records and returns a simple yes or no response. In the event that the information given is not a match, they will not give any indication of the correct information so as to eliminate the possibility of enabling fraud.
Accounting departments use this tool for both accounts receivable and accounts payable. Accounts receivable verifies payment accounts when setting them up or when debiting the account for goods sold. When debiting consumer accounts, businesses want to make sure that the account is open, valid, and that their customer is an authorized user on the account to prevent unauthorized returns. On the payables side, accounts are verified before payments are sent.
It would be difficult, but not impossible, for fraudsters to get past the account verification process. They would need to open their own account in the name of the company they were using to divert funds. Barnhardt recommends “using the other tools and services like email validation identity, which encompasses phone numbers, to be able to round out the picture, but,” he adds “account validation certainly goes a very long way. It is probably the number one product that is used by the businesses that have controllers that are continuously setting up new payments or changing payments.”
Remote working conditions have left many vulnerable to fraud. The lack of security, internal controls, and oversight has resulted in a rise in business email compromise attacks. With an increase in remote workers, companies need to be even more rigorous in verifying transactions. Adding account verification processes will help prevent losses and protect customers.