According to the 2019 Association for Financial Professionals Payments Fraud and Control Survey Opens in a new window., 82% of organizations were victims of attempted or actual fraud in 2018. In addition, 80% of companies have been subject to attempted or actual business email compromise (BEC) fraud in 2018.
Harvesting targets
Fraudsters scour open internet sources and the dark web to identify potential targets. They seek information like email addresses and job titles for people who can direct others to initiate payments, like those in senior leadership positions, and people with the ability to initiate payments, like accounts-payable employees.
During this stage, fraudsters will also attempt to introduce malware into an organization by sending emails with malicious links that contain malware. Once clicked on, they allow the fraudster to live within a technology platform. From there, they can monitor keystrokes and emails, including ones linked to vendors and suppliers.
Engaging targets
Fraudsters will impersonate company personnel or vendors when sending payment-request emails. These emails can seem authentic, as the fraudsters have been monitoring email traffic to gain insight into email signatures, addresses and format, along with prior vendor payment requests. Fraudsters have been known to send these emails when they know management will be away from the office, so the email recipient will have difficulty validating a payment request.
Common email characteristics
- Payment bank information differs from prior payment requests; examples include name, routing number, or account number
- Marked as rush, urgent, or sensitive
- Small differences between the email address of the legitimate sender and the fraudster’s email address; for instance, a lower-case L might be replaced with the number 1
- Email narrative contains instructions to call a telephone number that differs from telephone numbers associated with the impersonated company or individual
What should you do if your organization suspects or confirms BEC fraud?
- Time is of the essence when attempting to recover funds. Immediately contact your financial institution and consider filing a complaint with the Internet Crime Complaint Center (IC3) Opens in a new window.. Depending on the circumstances, the Federal Bureau of Investigation can attempt to recover funds after a complaint is filed with IC3.
- Escalate the issue within your organization and contact the party that was impersonated, whether it was a vendor, colleague or someone else.
What are some leading practices to limit BEC fraud exposure?
- Consider how information posted on open internet sources, like vendor or supplier relationships, could be leveraged to commit fraud.
- Conduct annual fraud and information security awareness training.
- Ensure IT protections, including malware and virus programs, are current.
- Call trusted telephone numbers to verify payment requests.
- Immediately report suspected or confirmed fraud.
For more information on how to prevent business email compromise and other types of payment fraud, reach out to your relationship manager at any time.
