Imagine you are a member of a finance team. You receive an email from one of your suppliers containing an invoice for goods recently received. It requests that payment be made to a new bank account not previously used for such transfers. What would you do?
The Business Email Compromise ('BEC') scam compromises business executives’ or employees’ email accounts to induce fraudulent transfers of money. Legitimately looking emails requesting money to be transferred are sent either from an actual (compromised) company email account or from an external email account that is so similar to an existing supplier account that variations go unnoticed. Once the fraudulently induced transfers are made, money is generally very difficult to recover.
Companies around the world are being targeted. The FBI says that between October 2013 and August 2015, some 7,066 US victims and 1,113 non-US victims lost a total of $799 million. The BEC scam has been reported in 79 countries and all 50 US states, and BEC exposed losses total more than $1.2 billion globally with numbers likely to increase. Asian banks in China (Wenzhou) and Hong Kong are the most commonly reported ending destinations for these fraudulent transfers.
How The Scam Works
How To Act Once Money Has Been Transferred
The key to recovering scammed money is to catch the funds before they have been transferred on. Act quickly by:
immediately notifying the remitting and receiving banks and putting them on notice that they are dealing with the proceeds of crime;
reporting the fraud to local law enforcement agencies in the receiving jurisdiction;
making any necessary public notifications if the company is listed, including to the insurer; and
bringing legal counsel into the picture as soon as possible to maximize the chance of freezing the money.
Tips & Takeaways
Raise awareness by training staff to recognize the hallmarks of the BEC scam, eg, transfers to known vendors but with new beneficiary account information, international transfers (especially to APAC countries) and changes in payment cadence.
Implement intrusion detection system rules that flag emails with extensions similar to legitimate company emails.
Train staff responsible for outbound payments to strictly adhere to payment procedures.
Ensure senior management comply with payment protocols to minimize the risk of employees falling for fraudsters impersonating senior executives.
Scrutinize email addresses of any payment requests.
Upon receiving any request to pay money into a new bank account, always confirm instructions over telephone / in person.