Is Business Email Compromise the King of Scams?

Globally, there’s been a great deal of media attention on payment scams affecting consumers, and rightly so.

In late September of last year, the U.K. Financial Ombudsman Service received more than 5,000 complaints and requests for help with fraud and scams from U.K. consumers, an increase of 66% year-over-year. That same month, UK Finance reported that criminals stole more than £750 million in the first half of 2021, a 30% increase from the same last year.  

Make no mistake, consumer scams are undoubtedly a major threat, however the heavy focus on them overshadows stories about how Business Email Compromise (BEC) scams are causing a great deal of damage to businesses. In the US the FBI reported that scams cost organizations more than $1.7 billion in 2019, which was higher than any type of consumers scam that year. In 2020, the Association for Financial Professionals reported that “74% of organizations were targets of payment scams”, with BEC as the primary driver. 

What is BEC Fraud? 

In BEC attacks, scammers use emails to dupe employees into transferring funds to illegitimate accounts, the main target being accounts payable departments. The tactics most commonly involve the hacking, spoofing or impersonating of a business email address, with the victim of a BEC attack receiving an email that appears to come from: 

• an existing supplier requesting payment for services genuinely provided (but to a different recipient account); or 
• a senior executive within the organisation requesting transfer of funds (for a new and highly confidential project or ‘deal’)  

The victim, believing the request to be legitimate, makes a payment or transfer to the scammers account.  

Why do criminals find this attractive?  

When successful, BEC attacks deliver a higher yield; an average of $93,000 per case according to the FBI. When compared to the average consumer card fraud case of $300, it becomes clear as to why criminals go after businesses. In addition to this: 

• Businesses don’t typically want to be seen as a victim as this may appear to be a management failing. So one of the biggest drivers of fraud loss tends to get swept under the rug for fear of reputational damage or management being viewed as incompetent. Further, businesses can often be insured in these cases, so it isn’t as widely reported or addressed. 

• As more people are working from home, with additional remote system access and reduced oversight, organisational vulnerability has increased. Coupled with lockdown anxiety, employees are more susceptible to social engineering. 

• Banks don’t invest as much in fraud systems and defences against BEC, as the liability for the loss most often sits with the business. The pressure comes from consumer groups and regulators to refund consumers, but less attention is given to businesses. 

• Corporate and business fraud is also a lower priority for law enforcement. It’s hard to catch the criminals, and lower on media and policy agenda priority lists. This means crime gangs can operate largely with impunity, offering a better risk/reward ratio. Also, a high proportion of the fraud comes from cross-border attacks, making investigations and reprisal even harder.  

• The extended cycle of business invoicing and payment means it can take longer for fraud to be discovered and by the time it has been, the fraudsters have already dispersed the funds through money-mule accounts and crypto-wallets making investigative follow up even harder. 

How can BEC be stopped? 

It’s possible for businesses and their respective banking and payment service providers (PSP) to work together and combat BEC fraud. Having two bites of the cherry should improve the chances of success if both parties have appropriate controls in place. However, it can lead to blame and finger pointing when one or both parties miss opportunities to prevent. 

Banks and PSPs can help prevent BEC attacks at the point of receipt and processing of the payment instruction from the organisation. Banks are at the forefront of protecting clients from fraud and should be actively using transaction monitoring systems to spot suspicious payment activity. 

Recent market trends have exacerbated this challenge with: 

• The growing migration away from batch payments to real-time payments (more attractive to fraudsters). 

• Increased prevalence of fintechs providing intermediary and overlay services that reduce a bank’s visibility of user activity (e.g. the bank will have less data about ‘normal’ user activity if obscured through an intermediary processing platform). 

• Greater regulatory focus (e.g. PSD2 in Europe) on Secure Customer Authentication, which doesn’t really help with BEC attacks, where payment is initiated by a duped, yet authorised user. 

For organisations that are targeted by BEC scammers, following cybersecurity best practices and having the right systems and controls in place is critical. Employees are the ‘weakest link in the chain’ and failure to follow policies (e.g. clicking a link in a phishing email and entering system passwords) is a key driver of BEC fraud. Effective cyber controls include enabling multi-factor authentication for users accessing work network and phishing email prevention and monitoring systems.    

Secondly, there must be effective employee policies and processes, as well as education and awareness to make system users aware of the risks and explain why they need to follow the rules.   

These should include dual-control (e.g. a ‘user’ and an ‘approver’) and executing call-backs (e.g. where a supplier wants to change their account information) on high risk activities like making payments.  

The AFP reports that around 70% of organisations have some or all of these types of controls in place. That leaves a lot of organisations that don’t and are therefore more susceptible to BEC attacks. The AFP also reports that 12% of organisations reported more than 25 BEC attempts in 12 months, revealing the scale of the issue and capability of the scammers. 

In recent times Covid-19 has changed the way people work and the control environment, potentially opening gaps that the scammers can exploit. Where controls may previously have relied on face-to-face interaction between an employee and manager, this may now be remote, where anomalies are less likely to be identified or addressed. 

Beating the scammers 

Adopting a multilayer strategy where both the victim organization and the banking partner deploy monitoring and detection technology maximizes the ability to manage fraud risk and reduce friction on genuine payments. Much of the responsibility sits with the organisation to have the right controls and culture in place, but banks can better support client organisations by working in partnership to offer a differentiated service by using the latest transaction monitoring technology (which leverages machine learning and artificial intelligence for real-time decisions and responses). 

This is where adaptive machine learning technology can help, using models that profile genuine behavior and are able to identify suspicious anomalies (making it difficult for scammers to mimic a genuine payment).  

Finally, working in partnership with clients’ security teams to raise and proactively respond to alerts and anomalies creates a unified front in the fight against BEC attacks and the criminals that perpetuate them.