Business Email Compromise: Don’t Become a Victim


Michael W. Kahn

Michael W. Kahn


How huge is the problem of Business Email Compromise? Amy K. Morris summed it up in three words. 

“It is everywhere,” said Morris, Nacha Senior Director, ACH Network Rules. And that means financial institutions and businesses—large and small, public and private—need to be proactive to stop the scammers in their tracks. 

As the recent Nacha webinar “Over $26 Billion in BEC Scams: What Can be Done?” made clear, you’ve got to stay on your toes, because there’s always a new twist. 

One that’s increasingly popular involves an email to employees—purportedly from the CEO—instructing them to buy hundreds of dollars in gift cards. Google Play, iTunes, and Amazon cards are most popular. Then they’re told to scratch off the back to reveal the codes, which should be sent to the “CEO” by email. 

“This is gaining momentum because the fraudsters are using this as a cash out mechanism,” said Jeanette A. Fox, Nacha Senior Director, Risk Investigations, ACH Network Risk Management. Through a series of transactions involving cryptocurrencies and electronic wallets, they eventually convert the codes to dollars. 

Another big scam involves sending employees an email supposedly from either payroll or human resources. It directs them to a new site where they should log in with their existing credentials and verify their bank accounts. 

“This achieves a lot for the fraudsters,” said Fox, including the ability to change salaries to go from bank accounts to prepaid cards, “making it harder to find.”

And while it’s called Business Email Compromise, don’t let that mislead you.

“The payment instructions can come through any channel,” warned Devon Marsh, Wells Fargo Bank’s Senior Vice President, Payment Industry Relations Office. That includes a phone call, text message, U.S. Mail or fax. 

“The good news is that effective controls don’t need to be highly technical, and they don’t need to be expensive,” said Marsh, noting, “a checklist can be extremely useful in a payment initiation scenario.

“It can prompt people to be skeptical. It can be adapted to different work environments and customizable. And it’s used to ensure people don’t tune out and forget a step—especially when that step is part of a key control.”

Ralph Gagliardi, Agent in Charge of the Cybercrime Unit at the Colorado Bureau of Investigation, stressed the need to partner with law enforcement, be it local or state police or the FBI. The time to do that is now—before you need their help.

“Financial institutions: If you are in the right spot to do something, and your hairs are standing up on the back of your neck, whether it’s from a checklist, or you know something’s not right with your customer, have that right partnership already set up with law enforcement,” said Gagliardi, a 30-year law enforcement veteran. 

The complete 90-minute “Over $26 Billion in BEC Scams: What Can be Done?” webinar contains valuable insights on how to avoid becoming a victim of BEC. Click here to visit and purchase the webinar recording. The webinar is worth 1.8 continuing education credits for AAPs and APRPs.

Also be sure to visit Nacha’s Current Fraud Threats page for valuable BEC resources including our “Protecting Against Fraud: How to Spot and Prevent Fraud Schemes” booklet.