Opening an email shouldn’t seem as risky as walking down a dark alley, but sometimes today you get that feeling. One wrong click and the consequences can be dire.
Business Email Compromise, or BEC, is a fact of life for companies large and small, as fraudsters work harder than ever finding new ways of making a dishonest buck. In 2014, the FBI’s Internet Crime Complaint Center (IC3) received 2,400 complaints about BEC, reporting losses of $226 million. By 2020, BEC complaints increased to more than 19,000 with a loss tally of $1.8 billion.
And in its “2021 AFP Payments Fraud and Control Survey Report,” the Association for Financial Professionals found that more than three-quarters of organizations were targeted by BEC attacks. AFP also noted a simple truth: “[Fraudsters’] success in deceiving organizations encourages them to continue to use BEC.”
BEC can rear its ugly head in several forms (scammers are nothing if not creative). But a typical incident begins with someone in an organization receiving an email that in many ways looks legitimate. The “from” line will often have the name of the CEO or another company official. Inside is a request to change payment information, often for a vendor and always complete with new account and routing numbers. The employee receiving the email believes it’s on the level, complies with the instructions, and everything seems fine—until the real vendor calls asking where their payment is. Odds are that money is gone forever; only the angst lingers.
There are numerous other ways for BEC scams to be perpetrated, including calls, faxes, even a letter in the mail. But in most instances, another old school method can stop BEC cold: a telephone call. During Nacha’s Smarter Faster Payments Remote Connect in August, FBI Special Agent Brian Walsh said, “Human contact, verbally confirming this information can defeat many of these frauds.”
Encourage your employees to call whoever supposedly sent the email—even if it’s the CEO—and verify its authenticity. They should also hover over the sender’s name to see the email address—is it really from who it claims, or from some other domain? Either way, instead of hitting “reply,” forward it to what you know is the correct email and ask if this is for real.
“Measure twice, cut once,” as any good carpenter will tell you. Taking a couple of minutes to double-check can save a world of trouble. A Nacha colleague recently shared how her sister’s company had a client insisting he was owed payment on a $30,000 invoice, even though her company had made an ACH payment to his business account. Our colleague asked her sister if she had spoken to the client or just exchanged emails (the latter) and did those emails have spelling and grammar errors. A closer look showed the domain name was off by one character, and then a phone call to the client revealed he never sent those emails and had, in fact, received payment. In this instance, a BEC loss was avoided by a phone call.
Financial institutions can be a primary source of education and assistance for their account holders in identifying and preventing BEC-type scams—and in recovering when a customer is victimized. ODFIs can assist businesses and other organizations with controls and anomaly detection; RDFIs can assist businesses and consumers in identifying and detecting schemes in which their accounts are used as money mules that enable the flow of funds.
When it comes to BEC and other scams, there are other things all of us need to be aware of, and actions to take to avoid becoming victims. Nacha recently updated our “Protecting Against Cyber Fraud” booklet, which is free to download. Nacha’s Current Fraud Threats page also has the latest on not only BEC, but ransomware, account takeover, and, yes, coronavirus scams.
Nacha’s ACH Contact Registry can also help. For example, an RDFI with one or more unexpected large credits to a new account could contact the ODFI for additional information; or the ODFI of such a credit could contact the RDFI with assistance in recovering the funds. An easy way to find the right ACH contact is through the ACH Contact Registry.
Finally, if your organization falls victim to BEC, let the FBI know through its IC3 website.
You’ve heard that a chain is only as strong as its weakest link. Strengthen the links in your organization and fight back against BEC.
The ACH Contact Registry is housed on Nacha’s Risk Management Portal.
Read more about what the AFP Survey found about BEC in our blog.
FBI Agent Walsh and others had more to say about scams during a Payments Remote Connect session. Our blog has details.