In September 2019 alone, Japanese media company, Nikkei, voluntarily gave nearly US$30 million to criminals, while Toyota sent nearly US$40 million in the same direction. Why? Because a fraudster got into their business email and just asked for the money. Welcome to the costly world of “Business Email Compromise’’.
The four faces of BEC
Business Email Compromise (BEC), Email Account Compromise (EAC) or Authorised Push Payment (APP) scams are the scourge of boardrooms around the world. Sometimes known as “CEO Fraud”, these hard-to-spot crimes are on the rise, costing businesses and individuals more and more each year.
In the UK alone the value of APP frauds has risen from £354 million in 2018 (over 84,000 cases) to £413 million (over 108,000 cases) for the rolling year ending June 2019*. The FBI reports incidents closer to US$26 billion from 2016-19. Recently, the US Treasury Department’s Financial Crimes Enforcement Network estimated that BEC losses crossed US$300 million per month. That’s over 1,100 incidents per month in 2018, and that’s just the reported crimes.
How does it work?
To kick off a BEC fraud, the scammer needs to get into your systems and processes. This can be directly, through brute-force password attacks – often helped by previous breaches – or clever phishing attacks that entice the user to disclose their username and password. It can also be indirectly, targeting ‘weaker links’ in the business chain, such as gaining access to a supplier’s invoicing templates and schedules.
Once inside, the criminal will look for information to create a convincing scam – likely to be a spoofed email asking you, or someone who controls purse strings such as a CFO, to urgently pay money into a new bank account. The text is carefully personalised and deceptively professional; there are no ‘Nigerian Prince scam’ typos, here. Expecting an invoice for some building work or a holiday?
Clever attackers will clock this in your inbox and send a convincing link for you to pay this into their account. This looks and reads just like an internal email from a senior colleague or a trusted third party.
Even if you’re not in the process of buying something, you’re not immune to attack. If you’ve ever checked out your ex’s new partner on Facebook, you’ll know how easy it is to trawl for personal details and build up a profile for a BEC fraud. To avoid any threats to the scam, criminals even hack corporate schedules, so the person the fake email is allegedly from is unable to respond to direct queries, such as when they’re in-flight.
Once the money is transferred, because the payment was done in good faith and to an apparently legitimate recipient, it is often months before the fraud is discovered. By that time of course, the criminal is long gone and the money trail is cold.
So if it’s hard to recognise a BEC scam, and difficult to catch the perpetrators, how can we fight back?
Prevention is better than cure
Based on our experience in this area, here are a few suggestions for strengthening your defences against the BEC/EAC/APP scammers.
Firstly, use two-factor or multi-level authentication for your personal email account and critical business accounts. Putting this in place across your business should ensure the criminals don’t get in in the first place. Build up a healthy suspicion of any emails requesting fast actions, especially if they don’t follow your usual procedures.
This is one that you’re probably already doing, but we recommend doing more of, and that is to regularly and closely monitor bank accounts for irregularities, such as missing deposits. And if there’s a change of bank account requested, pick up the phone and check with the relevant people. It can’t hurt and could save you a lot of money.
Pay attention to the sender’s email address in any ‘money-requesting’ emails you receive. Check it matches with what you’d expect for that person. This is particularly important when viewing on mobile devices, as the email address info is rarely displayed automatically.
And lastly, if the scammers get through and you are affected, Schillings is here to help. We can help retrieve the funds, reinforce your protection, and have our experts advise you on the best techniques to avoid future BEC threats in your organisation.
Strike BEC
The best advice we can give on this subject though, is to reinvigorate your attitude to email security. Awareness training programmes for example, are a simple and effective method of introducing processes and procedures. It’s a chore, and many companies are still approaching the issue like they did at the turn of the millennium (‘won’t the anti-virus software catch it?’).
But, in this new era of deep fakery and intelligent attacks, sitting up and paying attention is the ultimate defence.
* figures from UK Finance