Between 2016 and 2019, Business Email Compromise (BEC) scams cost American organizations US$3.1 billion in losses and Canadian organizations US$33.6 million. This type of pervasive scam targets large and small businesses alike. In the United States, the frequency of BEC scams has tripled in the last three years with approximately 80 percent of businesses being targeted.
BEC scams can be difficult to identify and even harder to recover from. For this reason, understanding the common types of BEC scams and adopting strategies to protect your businesses from falling victim is imperative.
Below are some common forms of BEC scams and tips for your organization to protect itself against this fraud. There is no one-size-fits-all solution to resisting BEC scams, as your risk management strategy depends on your specific situation.
Despite the extensive exposure about BEC scams, companies continue to be routinely defrauded. Often, companies assume they are safe because they believe they have sufficient policies and safeguards in place, only to later find out there was a gap in their policy or there was insufficient training for relevant employees.
BEC scams aim to misdirect payments or transmittal of other things of value. Traditionally, BEC scams target employees of businesses and organizations authorized to wire money, pay accounts, or access otherwise confidential information. Posing as executives, vendors or suppliers, fraudsters typically correspond via email with an employee of the company attempting to exploit the employee’s capacity to access information or authorize certain transactions.
The most well-known BEC scam starts with an email from a known vendor or employee requesting to change their account payment details.
This scam email may come from the authentic email address associated with the vendor/employee (because the fraudster has infiltrated the vendor email account), or from an email account that is so similar to the authentic address that it is easy to miss the difference. It may be that the fraudster knows all the details about the upcoming vendor payment. Or the fraudster may know the name of the vendor representative and the particulars of the upcoming payment (because the fraudster has compromised the organization’s email accounts and has access to all those details).
The email may contain various hallmarks of authenticity:
Do not rely on any of these factors (alone or in combination) as a means for authenticating the change request.
Another type of BEC fraud involves an email that is purportedly from the CEO or some other senior executive directing the recipient to wire funds out to a third party on an urgent basis. A different version of this scam involves an email from the CEO/senior executive asking the recipient to purchase gift cards and send the gift card numbers by email to the CEO/senior executive, often on the purported basis that they are for a corporate event or an important client.
The same rule applies as set out above—do not rely on the usual hallmarks of authenticity to rely on the email request.
Having a written policy in place, and training your employees with respect to the policy, can help protect you against these scams. Steps you may take to verify if the account change request or wire transfer / gift card request is authentic include the following:
Your policies to protect against BEC are only useful if all relevant employees are properly trained on them. Ensure that regular training is implemented and team discussions are held to review the protocol.
Further, your policies need to keep pace with the evolving landscape of threats. As hackers find new ways to trick people, you need to adjust your defence protocol. Review your policies regularly with experts to protect yourself against new scams.
Just as you do not want to have payments made to your vendors fraudulently diverted, you also do not want payments owing to your organization diverted. Advise your customers of the protocol they are to follow in the event they receive a purported request from your organization to change account payment details.
We recommend you seek advice on additional steps that your organization should take. For further information on how to protect against and respond to BEC scams, the Bennett Jones Privacy and Data Protection team is available to assist.