Business Email Compromise: Why Enterprises Are Ditching Their Inbox

What is the most costly form of cybercrime? You might think it’s ransomware or data theft, but it’s actually a new variation on the age-old Nigerian Prince scam called Business Email Compromise. According to the FBI‘s Internet Crime Complaint Center, Business Email Compromise costs businesses more in lost funds than all other types of cybercrime – combined.

What is Business Email Compromise?

Business Email Compromise (BEC) is a type of exploit where the scammer, impersonating a high-level executive, tries to trick an employee or customer into transferring money into a bogus account. It uses spear-phishing and other social engineering techniques to convince the victim that the request is coming from a legitimate higher-up in the company. Companies that send international wire transfers are particularly vulnerable, as most of the requested payments are done via wire transfer.

BEC fraud is most often carried out by international organized crime groups. These organizations typically employ a team of hackers, social engineers, and other topic experts to ensure that the fake emails look and sound as legitimate as possible. Some BEC scammers even employ malware to gain access to a company’s network and obtain email exchanges that can help them better target specific victims.

How Does a Typical BEC Exploit Work?

There are several variations of the BEC scam. The most common ones are CEO fraud, direct deposit scams, and tax form scams.

CEO Fraud

The most common form of BEC scam is called CEO fraud. In this variation, the scammer targets someone within a company who has access to the company’s finances and bank accounts. The scammer sends the target an email that purports to be from a company executive. The email spoofs the executive’s email address and includes enough details about the company and the individuals involved to seem legitimate.

The message instructs the employee to send a wire transfer, typically to a known vendor. The message typically includes details about the transaction, mentioning what sounds like a valid purpose, such as paying a vendor or making a deposit on a large real estate or capital purchase. Included in the body of the message is the routing number for the “vendor’s” account. This routing number does not lead to the real vendor’s account, of course; instead, it’s the routing number for an account owned by the scammer, often hosted at a foreign bank. When the wire transfer is made, the funds are deposited into the scammer’s account.

Direct Deposit Scams

While not yet as common as CEO fraud, the direct deposit scam is the fastest growing form of BEC. This type of scam — also called a payroll diversion scam — involves the scammer requesting that a specific employee’s paychecks be diverted into a bogus account. This variation has the advantage of using a company’s human resource department rather than the presumably more savvy finance department. Typically, paychecks of higher-ranking – and higher-paid – employees are targeted.

Tax Form Scams

Some BEC scams involve data instead of money. In this variation, the scammer poses as an employee and requests copies of that employee’s W-2 forms. This information can then be used for identity theft – or to file a fraudulent tax return and have the refund sent to the scammer’s account.

How Big a Problem is BEC?

The FBI’s Internet Crime Complaint Center (IC3) reports that BEC scams resulted in losses of more than $12 billion between 2013 and 2018 – and $1.78 billion in losses in 2019 alone. That’s more than half of all cybercrime-related losses reported that year, and an increase of 37% over the previous year.

BEC fraud affects businesses of all types and sizes. Symantec reports that more than 30,700 businesses and other organizations were targeted in just the first quarter of 2020. The average BEC scam costs a company $75,000 – much more than the $4,400 lost in the average ransomware attack.

How Can You Protect Against BEC Exploits?

If your company is the victim of a BEC scam, you may be able to minimize your losses. The minute you suspect that there has been a fraudulent transfer of funds, contact your financial institution and request that they recall those funds. Many banks will be able to do this within a limited period of time. You should also contact the FBI and report the fraudulent transfer, as well as file a complaint with the Internet Crime Complaint Center.

Even better, you can take steps to prevent BEC exploits before they happen. Here are some of the more effective ways to guard against BEC scams:

Employ Email Rules

Have your IT staff create email rules that flag messages where the “Reply” address is different from the “From” address. Also, add rules that flag messages with extensions that are similar but not identical to legitimate company emails.

Color Code Your Emails

Another approach is to color-code all incoming emails. If messages from internal accounts are one color and those from external accounts are another, it’s easy to identify bogus requests coming from outside the company.

Verify Transfer Requests

Protect your financial assets by enacting two-factor authentication for all fund transfers. Instruct employees to always use routing numbers on record for vendors instead of those listed in email messages.

Should You Ditch the Email Inbox?

Many companies are eliminating the BEC problem completely by not processing any funds requests sent via email. Instead, they’re using secure communications platforms for all sensitive information or fund requests.

These communications platforms, such as AWS Wickr, use end-to-end encryption to ensure that all communications come from authorized sources. These platforms can’t be hacked or spoofed by malicious actors, which ensures that all fund requests are legitimate.

Contact us today to learn how AWS Wickr can eliminate BEC scams in your organization!