August 31, 2021

One Phone Call Can Stop Your Organization from Being a Business Email Compromise Victim


Michael W. Kahn

Michael W. Kahn


Business Email Compromise

It seems like the bad guys work night and day concocting new ways to separate people and businesses from their money. But when it comes to cybercrime, one scam tops the list: Business Email Compromise (BEC).

“That accounts for over $1.8 billion in loss” in 2020, said FBI Special Agent Brian Walsh with the Cyber Squad. That’s more than triple the amount lost to romance scams and confidence frauds, which placed second on the 2020 loss list compiled by the FBI’s Internet Crime Complaint Center (IC3). IC3 received nearly 800,000 complaints last year representing more than $4 billion in losses. 

BEC is a failure of processes and procedures, not the payments systems themselves. BEC can take different forms, but the most prevalent is “spear-phishing,” where an email looks like it comes from a known or trusted sender. 

“What they’re trying to do is get you to click on a link—generally in an email, but could be via text message,” Walsh, a 19-year veteran of the Bureau, told a Smarter Faster Payments Remote Connect session. That link goes to a “phishing kit” website. 

“That website is going to look very much like any email portal that you might use such as Gmail, Yahoo, Hotmail, or Office 365,” said Walsh. Once you enter your username and password “that information gets sent directly to the criminal,” who then quickly logs into the real email portal and sends scam messages that look legitimate.

The FBI has investigated numerous cases where a CEO’s hacked email is used to send urgent messages instructing finance to immediately pay an invoice. “We’ve seen instances where up to the millions of dollars will be sent” using either ACH or wire, said Walsh. 

Among frauds targeting individuals, Jeanette Fox, AAP, Nacha Senior Director, Risk Investigations & ACH Network Risk Management, called mortgage closing scams “one of the most nefarious” given how they often hit people who spent years saving for a home. 

Fraudsters hack into a title company’s email and monitor upcoming settlements. “They’re going to contact one of the homebuyers and say, ‘Your closing amount is this, and it’s due right away, and we can’t take a check so why don’t you just go ahead and send that.’ And of course, the person who doesn’t want to lose hold of that dream house, they’re going to do it. And their money could be gone, especially if it is sent by wire,” said Fox, noting wires are generally final and irreversible. 

Kim A. Bruck, AAP, ACH Program Manager, Payment Program & Initiatives at Desert Financial Credit Union, said credit unions and banks can help defeat mortgage scams.  

“I think it’s really important as a financial institution for your mortgage area to educate the client on how they will communicate to them,” said Bruck. “It’s education right up front, letting them know what we’re going to do,” so that if a scam email is received “hopefully the red flag goes up.”

Walsh said there’s often a very simple way to thwart the scammers.

“What defeats this? A phone call,” said Walsh. “Human contact, verbally confirming this information can defeat many of these frauds.”

Much more was discussed during the Smarter Faster Payments Remote Connect session, “The Deep Fake: The Fight Against Cybercrime.” Registered attendees can access the recording on demand until Nov. 30, 2021.

Visit Nacha’s Current Fraud Threats page for the latest information and resources.

There is also a wealth of information on the FBI’s Internet Crime Complaint Center (IC3) website