Protecting my business against wire transfer fraud
Every year businesses in the U.S. lose millions of dollars to fraudsters who use a specific wire transfer scam called Business Email Compromise (BEC). Also known as “Man-in-the-Email,” BEC is an incredibly calculated and thoroughly researched threat. Fraudsters target businesses that either frequently perform wire transfers or work with foreign suppliers. If your company could be at risk, we’re here to help you defend your business against wire transfer fraud.
Who are the victims of wire fraud?
Victims of wire fraud can be businesses of all sizes. With nearly 6,000 (and counting) Business Email Compromise victims recognized around the world by the FBI, BEC also affects customers, employees, suppliers and many financial institutions.
There are a few ways BEC can happen. A fraudster can:
- Contact a business by phone, fax, or email to change the payment location on an invoice
- Hack a business executive’s email account and then use that email to contact employees and request wire transfers
- Hack an employee’s email account and contact list, and then use that email to request invoice payments from multiple vendors
In all three of these situations, the fraudster pockets the money.
Is it easy to identify BEC?
Business Email Compromise can be cleverly masked if individuals aren’t careful with information. Here are some examples:
- Phrases such as “code to admin expenses” or “urgent wire transfer” are commonly seen
- IP addresses usually trace back to domains that have been registered for free
- Fraudsters often use company logos, letterheads, invoice formats and signatures of employees to increase believability
- Fraudulent emails received could directly align with business executives’ travel dates
- Spoofed or hacked emails closely resemble legitimate emails
How can you protect your company?
Although Business Email Compromise continues to be a major issue, especially in the United States, there are ways businesses can work to help protect funds and information, such as:
- Avoiding free, web-based email accounts for your business (such as Gmail, Yahoo, etc.)
- Being suspicious of requests for secrecy or pressured activity
- Considering a more complex verification process for sensitive IT or financial procedures
- Identifying a more complex authentication process for official company email accounts
- Deleting spam
- Not opening attachments if you're unfamiliar with the sender (a commonly used phishing attempt, which often results in a hacked email account)