If you’re a company controller, treasurer, or accountant, you will want to be alert to a scam that’s been making the rounds with increasing frequency. Known as the “Business Email Compromise,” or BEC, this scam targets those responsible for handling the money within a company or organization, instructing them to wire a large sum to a specific account. The email containing this request appears to come from an executive within the organization, lending validity to the scam. Attached to the email are instructions for completing the wire transfer.
In June 2014, the FBI Denver Division noted an increase in complaints filed regarding this particular email scam, indicating a rise in this type of fraud. Globally, the combined dollar loss is more than $200 million, with that amount projected to keep growing. Companies in the U.S. account for more than $170 million of those losses.
Spotting a Business Email Compromise Scam
The majority of the companies targeted in this scam use an open-source email system. Individuals with ability to perform wire transfers on the company’s behalf are targeted, and dollar amounts are very specific in order not to arouse suspicion. The scammers perpetrating this fraud use an email address that appears to be from an executive within the company; closer examination of the email address will reveal a difference in one character from the actual address, such as “ABCccompany” rather than “ABCcompany” or another misspelling difficult to recognize at first glance.
BEC Scam Variations
There are three specific variations of this scam circulating:
- A request from a long-standing supplier to wire funds to a specific account, particularly if this is not the usual method of payment. Closer examination of the request will reveal a spoofed address and/or account information.
- A request from a high-level executive (CEO, CFO, etc.) within a company, seeking a wire transfer of a large sum to a specific account, often with instructions on how to code the transfer internally for accounting purposes. In some instances the request is made directly to the company’s financial institution. In this case the executive’s email address may either be spoofed or hacked.
- A request for an invoice payment generated from an employee’s personal email account, particularly if correspondence from this employee is normally channeled through their business email account. In this case the employee’s personal email account has been hacked and the fraud is not discovered until the supplier follows up with the company regarding payments made.
Protecting Yourself from a BEC Scam
You may think that because your company hasn’t received an email of this type that you will not be targeted. The criminals perpetrating this scam don’t discriminate, and your company may be targeted in the future. By putting a few protocols in place ahead of time, you may be able to stop this scheme in its tracks. Suggestions from the Federal Trade Commission include:
- Requiring chain-of-command approvals for dollar amounts over a certain level
- Requiring a purchase order to accompany all expenditures, along with chain-of-command approval
- Confirming any request for a wire transfer with the person making the request (ideally via phone or in person)
- Double-checking the email address accompanying such a request
- Resisting a call to quick action and instead seeking verification of a request
Reporting a BEC Scam
Companies that are victims or intended victims of this fraud, regardless of dollar amount, are encouraged to report the incident to the Internet Crime Complaint Center (IC3). Include as much information as possible, including:
- Email message headers
- Identifiers such as name, website, bank account, email addresses
- Information regarding the date of the fraud, including how it was accomplished and why
- Loss amount, both actual and attempted
- Any other relevant information
Identify your complaint as “Business Email Compromise” or “BEC” so that it gets routed correctly. Also, maintain all original correspondence, faxes, emails, telecommunications logs, and any other communications related to your complaint. You will need this information should law enforcement contact you in a criminal investigation.