What is business email compromise (BEC) fraud?
Business Email Fraud (BEC) is a method of defrauding businesses that process wire transfers. BEC affects global companies as well as governments and individuals. In fact, the daily global loss caused by this fraud method is estimated at approximately 8 million dollars.
In this method, fraudsters use malware to infiltrate business email accounts. Once the business email address is compromised, a fake email is sent to the recipient to transfer money to an illegal account.
What are BEC fraud types?
Today, BEC fraud can take many different forms:
Invoice fraud: Fraudsters send fake invoices or payment requests to trick the company’s finance department and redirect payments to their own accounts.
CEO fraud: Attackers often impersonate senior executives to order urgent money transfers or payments.
Impersonating a lawyer: Fraudsters pretend to be lawyers and ask for money to be transferred for legal matters.
Gift card scams: Scammers pretend to be company executives and ask employees to purchase gift cards and share the card codes with them.
Vendor email account hijacking: Hackers hijack a merchant’s email address to make changes to the payment method.
Data theft: In some BEC attacks, confidential company data is stolen or requested by pretending to be an employee of that company.
What are four steps in BEC fraud?
Step 1 – Goal Setting
First, fraudsters collect information about the company and employees from sites such as LinkedIn and Facebook. Then they use malware to monitor the company’s systems.
Step 2 – Preparation
Fraudsters who gather information use phishing to build trust with employees and pressure them to act faster by pretending to be managers.
Step 3 – Information Exchange
The user is made to feel like they are making a legitimate transaction and given instructions to transfer money.
Step 4 – Payment
The seized funds are transferred to another bank account that the fraudsters control.
How does BEC fraud detected?
For early detection and prevention of BEC fraud:
-Report BEC scams and fraudulent money transfers to the police within 72 hours.
-When filing a suspicious activity report (SAR), provide transaction and cyber information about the incident.
-Communicate and share information with other financial institutions.
-Assess vulnerabilities of business processes and systems.
-Adopt a multi-pronged monitoring system.
-Provide training and awareness to detect and avoid phishing attempts.
These guidelines assist compliance personnel to prevent, detect and report BEC scams. By following these steps, financial institutions can better protect themselves and their customers against BEC attacks.