Scammers rely on busy workdays and busy bosses when they blast off emails, hoping to bilk businesses and other organizations out of everything from gift cards to cash.
Since 2016, the emails, known as business email compromise, have resulted in the loss of $3 billion, an attempted $23 billion and, according to the Federal Bureau of Investigation, more loss than any other type of fraud in the U.S.
BEC is an email phishing scam that typically targets employees who pay bills in businesses, government and nonprofit organizations. The emails, crafted to look legitimate and like they’re from a reliable source, direct them to send money to bank accounts for administrators, partners, customers, employees or home buyers that actually lands in an account controlled by the scammer.
BBB’s investigative study on BEC fraud
The scam is such an ordeal that the Better Business Bureau has conducted a special investigative study, “Is That Email Really From ‘The Boss?’ The Explosion of Business Email Compromise (BEC) Scams,” released earlier this month.
The 12-page study defines the components of BEC scams and describes how they work and the primary entities carrying them out. It outlines how businesses and organizations can avoid scams and respond when one occurs. And it includes several pullout boxes with stories from a chief executive officer, Realtor and local business.
As stated in the study, BEC fraud is a serious problem, tripling over the last three years and seeing a 50% increase in the first three months of this year compared with the same time period in 2017. To put it in perspective, 80% of businesses received at least one of these emails in 2018. The success rate, though, is low – Agari, an email security solutions provider, reports it as once for every 300 attempts, but money still can be made.
How BEC fraud operates
Emails sent by BEC fraud groups come from a spoofed or hacked account and ask the recipient to wire money, buy gift cards or send personal information. The groups do this by obtaining employees’ names, job functions and email usernames and passwords and impersonating a trusted superior or partner. The emails may include the name of a real person in the “from” line and be sent from another address, use a domain name similar to that of a real company or access the real person’s email account.
What makes the emails successful is social engineering or deception, since they look believable and typically claim a sense of urgency, such as a request, follow-up or questions like, “Are you at your desk to make a payment?” Employees may be nervous about bothering their boss, the boss may be out of the office, or it may be a busy holiday with more temporary employees.
The FBI’s Internet Crime Complaint Center identifies six different BEC and email account compromise frauds based on who appears to be the email sender. They include CEOs asking for money to be wired, vendors or suppliers requesting invoice payments, executives requesting copies of employee tax information, and Realtors and title companies redirecting sales proceeds into a new account, as well as requests for direct deposits of paychecks and appeals by employers or others to buy gift cards on their behalf to give to staff or volunteers.
How businesses can avoid BEC fraud
To thwart scammers, businesses need to improve internet security and increase general awareness. They are advised to invest in IT precautions and cybersecurity to prevent phishing emails and train staff on how to recognize and avoid responding to them.
The BBB study provides several recommendations, including:
IT and technical precautions: Require multifactor authentication, such as sending a text message with a log-in code. Change email settings to flag emails with warnings when they come from outside an organization. And limit the number of incorrect logins before an administrator needs to be contacted.
Culture/training: Confirm requests by phone or in person before sending money or following through with a transaction, but simply confirming through email or text is not enough. Verify changes in customer, employee and vendor information that fraudsters may have altered to be able to engage in criminal behavior.
Insurance/malpractice: Purchase cyberinsurance, though most policies exclude coverage for social engineering losses. Riders that cover social engineering are available at an extra cost.
BBB’s role with BEC fraud
The BBB has taken an active role in helping address BEC fraud, including issuing alerts when scams occur, adding a category for BEC fraud in the BBB Scam Tracker and urging retailers selling gift cards to warn about their fraudulent uses.
If businesses or organizations are a victim of a BEC fraud, they are advised to call the bank to stop the payment and report it to the FBI – if a report is filed within 48 hours, there is a chance the money can be recovered. They also can file a complaint with the FBI’s Internet Crime Complaint Center, including any unsuccessful BEC attempts.
The BBB would like to see emails return to their primary function – that of quick, effective communication without interference from criminal sources. Following these steps can help keep fraud out of business email and let businesses focus on what they are good at.
Shelley Polansky is president/CEO of BBB Serving Northern Colorado and Wyoming.