Considerations for Prevention and Recovery
The U.S. Treasury’s Financial Crimes Enforcement Network (FinCen) reported on July 16, 2019, that Business Email Compromise (BEC) fraud has increased dramatically over the past couple of years. (Read the report.)
What is BEC fraud?
BEC is a scheme in which cyber-criminals exploit vulnerabilities in a company’s email system to access information unlawfully on the company’s financial accounts, employees, vendors, and business practices. The criminals then use either the company’s actual email account (which the criminals now control), or create a new e-mail account resembling the company’s e-mail, to generate a fake e-mail that tricks a company employee into authorizing a payment the employee thinks is legitimate, but actually transfers money to the criminals’ account.
What does BEC fraud look like?
A criminal might generate a fake email to a company employee responsible for making company payments. This email looks like it’s from a company senior executive instructing the employee to make a payment to the account of a vendor or supplier. The account is actually the criminal’s account. This is a particularly effective type of BEC fraud since the employee receiving the fraudulent payment instruction is less likely to challenge or confirm the instruction from a senior executive. A criminal might also create a fake email impersonating a company supplier and requesting payment of an invoice to an account that is controlled by the criminal.
How common is BEC fraud?
Instances of BEC fraud reported by financial institutions to FinCen through Suspicious Activity Reports (SARS) have climbed from a monthly average of 500 reports in 2016 (averaging $110 million monthly in total attempted thefts) to a monthly average of 1,100 reports in 2018 (averaging over $300 million monthly in total attempted thefts). FinCen’s report notes that the top three business sectors targeted in BEC schemes are: (1) manufacturing and construction; (2) commercial services; and (3) real estate.
How can a financial institution and its customers protect themselves from BEC fraud?
Financial institutions and their customers should pursue targeted strategies to reduce BEC fraud risks and maximize the chances of recovery when such fraud does occur:
- Train and educate employees of the risks of BEC schemes so they are more likely to identify and prevent such schemes from succeeding.
- Assess business processes to identify vulnerabilities and increase resiliency against BEC fraud, including the adoption of email communication authentication measures.
- Adopt a multi-factor verification process for suspicious payment instructions (e.g., verifying the authenticity of such instructions by using multiple means of communication or by contacting others authorized to conduct the transactions).
- Consider the level of information that is made available publicly about a company’s key financial counterparties and processes. Cyber-criminals can exploit this public information easily, so take steps to reduce risks in light of this fact.
- When BEC fraud does occur, pursue recovery efforts by reporting the fraud to FinCen through its Rapid Response Program within 24 hours. This reporting is in addition to the financial institution’s filing of a Suspicious Activity Report, which can be done later.
- Request immediate assistance to recover BEC-stolen funds by contacting the FBI.
In light of the increasing prevalence of BEC fraud and the significant amount of money that is stolen in connection with such fraud, financial institutions and their customers would be well-served to take steps to anticipate and prevent such fraud. “An ounce of prevention is worth a pound of cure.”
The Financial Services team at Woods Rogers can help you with process evaluations, regulatory compliance, situation response, and other ways to protect your financial institution. Please contact us if you have any questions.