Say “No” to Business Email Compromise

Business email compromise (BEC) initiates a fraudulent financial transaction via electronic messages that appear to originate from a trusted company or individual. Threat actors encourage recipients to complete a financial transaction, such as wiring funds. This crime is rising, with the financial sector reporting a 137% spike in 2023.1 Even so, companies of all types and sizes are vulnerable to BEC attacks.

Typically, scammers obtain email addresses of an organization’s CEO, CFO or finance staff member through BEC phishing or malware, then send fraudulent payment requests to the victims. This approach is also called “email account compromise.”

Understanding common BEC scams and steps to prevent them can help protect your organization from the potential damage these attacks can cause.

What are common BEC techniques?

BEC is a social engineering scheme that typically starts with spoofing or phishing.

In spoofing, a scammer uses a legitimate-looking header to mask the email's origination data. For example, fraudsters may substitute “jack.smith@companyXYZ.com” for an actual employee address that is “jack.smyth@companyXYZ.com.” Similarly, phishing occurs when a fraudster tricks a company employee into disclosing sensitive or confidential business information through valid-looking emails. Fraudsters may also introduce malware, harmful technology, into a corporation's network to capture data like login credentials.

Any of these tactics can enable the threat actor to get the information they need to carry out business email compromise scams, which may include:

• CEO fraud.

  This fraud happens when someone hacks into a company executive's real email account or spoofs it. The fraudster then targets an employee and sends a message, seemingly from the executive, instructing them to send funds or make a purchase.



• Attorney impersonation.

  A fraudster emails a request for company information or money while pretending to be a trusted legal representative or attorney.



• Wire fraud scams.

  Threat actors pose as C-suite employees handling urgent financial business for the company. They then request immediate wire transfers to fraudulent accounts they control.



• Bogus invoice.

  In this scheme, fraudsters target a known supplier’s email. They create and send fake invoices for payment or initiate changes in payment details to reroute legitimate payments to themselves.



• Gift card scams.

  Bad actors impersonate an employee within the company, instructing staff to purchase gift cards for valid-sounding purposes like employee incentives. The emails also usually request the staff member to provide gift card and PIN numbers after the card purchase.

Business email compromise presents serious risks to businesses.

“Though they may seem simple to execute, BEC scams are targeted and well-planned. Fraudsters study organizations, then use publicly available information to launch full-scale attacks that can be extremely damaging,” says Enrique Fernandez, director of Financial Intelligence, Synovus Financial Crimes Unit.

BEC is a sophisticated and costly crime with severe repercussions.  

• Financial losses are often significant.
  BEC’s most obvious negative impact is financial loss, which can be significant. Per-company losses can range from thousands to hundreds of thousands. In 2023, American businesses reported 21,489 BEC attacks with combined losses totaling $2.94 billion.2,3 According to the FBI's Internet Crime Complaint Center (IC3), BEC losses have risen almost 58% since 2020.4


• Operational and reputational harm can occur.
  Incident response to BEC attacks can disrupt normal operations. For example, companies may need to freeze legitimate accounts and divert staffing, as well as delay order or payment processing pending investigation and resolution. Scammers could also steal and sell intellectual property. Any of these outcomes pose reputational risks and loss of competitive advantage among suppliers and customers.


• Data breaches and identity theft are common.
  During BEC attacks, scammers often access proprietary employee, executive and account information resulting in additional financial losses. The average cost of a data breach in 2023 was $4.5 million – an increase of 15% over the past three years.5 In addition, fraudsters are likely to use stolen data to take out credit cards, or even commit future crimes using the victims’ identities.

Corporations must take definitive action to mitigate BEC fraud.

What can companies do to minimize risk of a BEC attack?

BEC is increasing. However, there are several proactive measures to minimize corporations’ risk of BEC attacks.

1. Use multiple security layers.

   
   “The goal of fraud prevention should be to protect your entire network and systems. This requires a holistic approach,” says Fernandez. Start with a strong security posture, including encryption, tokenization and multifactor authentication.
   
   Email services should be integrated. For example, some solutions identify, quarantine and escalate emails they identify as spoofing or containing malware for further investigation.
   
   Email encryption software secures digital communications against unauthorized access or alteration, reducing the risk of information compromise. A decryption key is required to read the email. So, if a scammer intercepts the email, the information is useless unless they have the right key.
   
   Email authentication protocols can also be included. Sender Policy Framework (SPF), Domain-based Message Authentication, Reporting and Conformance (DMARC), and DomainKeys Identified Mail (DKIM) authenticate a sender's address so the recipient can have more confidence in its legitimacy.



2. Improve internal accounting controls and procedures.

   
   Analyzing existing workflows will help to uncover weaknesses and eliminate vulnerabilities. Consider best practices to strengthen protocols.
   • Verify disbursements and change requests. Ask employees to personally verify email requests for payment information changes, purchases and wire transfers before acting.
   
   
   • Require dual authorizations. At least two employees should approve all payments and purchases to reduce fraud potential. Don’t allow the same employee to approve purchases and payments.
   
   
   • Limit approval amounts and types. Set dollar amounts or transaction types for approvers and require multi-level oversight for large requests and highly sensitive transactions.
   
   
   • Regularly audit and monitor transactions and controls. This ensures proper implementation and reveals necessary adjustments.
   
   
   • Review your financial institution’s procedures for BEC compromise reporting.



3. Keep email technology current.

   
   If you've invested in on-premise software for BEC prevention, ensure your IT team keeps it current. Software vendors regularly provide updates and security patches to address evolving vulnerabilities and threats. Deploy these applications immediately upon receipt to ensure your system is current.
   
   Technology is a powerful weapon in fighting BEC. IBM reports 28% of companies are realizing the value of solutions with artificial intelligence.6 AI-enabled fraud solutions quickly identify, investigate and disable suspicious electronic communications. Integrated automation further boosts efficiency and enables fast responses.



4. Invest in employee awareness and training.

   
   Fraudsters rely on busy, distracted staff members. Employee awareness and training is a strong defense against fraud and a vital component of BEC prevention. Your company’s program should teach critical components to help employees identify and mitigate BEC scams such as:
   • Common and complex BEC techniques.
   • Potential impacts to the organization.
   • How to report and respond to suspicious emails.
   
   Provide semi-annual training to keep abreast of evolving BEC scams.

Protect your most important assets from BEC attacks.

Your corporation, employees, partners and customers are too important to risk BEC fraud. Protect them with a comprehensive solution that keeps fraudsters out of your emails.

We can help. Simply complete a short form and a Synovus Treasury & Payment Solutions Consultant will contact you with more details. You can also stop by one of our local branches.