Fraudsters use business email compromise (BEC) to ‘trick’ employees into electronically transferring funds to dummy accounts held by those same fraudsters. The tactic is also used to gain access to your banking customers’ personally identifiable information (PII) or other data that can be exploited for monetary gain. These types of attacks are relatively simple to deploy on a wide scale, making them extremely profitable for criminals with little effort on their part.
BEC has been steadily on the rise since the FBI started tracking it in 2013, but attacks increased exponentially when many organizations moved to remote working models in early 2020. In fact, between just April and May of last year, BEC attacks increased by 200% according to a Security Boulevard report.
But what exactly is BEC?
The FBI identifies the 5 most common forms of business email compromise as:
- Payment change requests – which involve generating a bogus invoice for payment or imitating a supplier requesting payment
- Executive wire transfers – where a fraudster masquerading as a CEO or other high-level executive directs a movement of funds
- Contact compromise – spoofing a legitimate communication from an existing supplier or partner
- Executive or attorney impersonation – and creating a false sense of urgency to transfer funds
- Data theft – requesting PII or W-2 forms through compromised email communication
Traditionally, financial institutions (FIs) have focused on preventing BEC fraud on the consumer front, rather than the commercial front – primarily because consumer regulations require banks to reimburse consumer reported losses. Whereas, BEC fraud is generally considered “authorized”, since funds are moved after employee authorization even as authorization is obtained under false pretense.
At first glance, focusing on preventing fraud where they are liable may seem a logical choice, what FIs may fail to consider are the more subtle ways a missed opportunity to protect commercial customers can affect a bank's standing.
A bank that doesn’t protect both retail and commercial customers may be subject to hidden consequences beyond financial loss. For instance, customers who are victims of fraud can lose confidence in their bank’s ability to secure their transactions and account information, which can lead to damaged reputation and market standing – both of which can foster much a deeper and longer-lasting financial impact.
Key areas of focus
But there are steps banks can take to safeguard their customers against the threat of BEC. The 3 key areas of focus in any good BEC defense are RECOGNIZE, REVEAL and REPEL.
- Recognize – being able to identify transaction risk factors and gaps in protection is the first step in developing an effective fraud prevention strategy. With business email compromise, where financial criminals essentially manipulate ‘trusted’ communications to misdirect funds, the human factor is the weakest link. Regular training and education can begin to close the gap – but a strong payment protection platform is essential to a well-rounded protection plan.
- Reveal – a payment protection platform that includes artificial intelligence and machine learning to identify suspicious user behavior and transaction requests before they are diverted into a criminal’s account.
- Repel – by the time a bank gets a fraudulent transaction request it’s assumed that an employee of a corporate customer was successfully scammed, making the bank the last line of defense. Making sure your fraud detection platform ‘watches’ a payment from start to finish, which includes analyzing destination data, is critical to fully protect customers.
For a deeper dive into BEC and the threat it poses to you and your banking customers, download the full whitepaper, “Uncovering 3 Hidden Liabilities of Business Email Compromise in Banking”, which includes the four challenges banks face in an era of rapidly evolving payment technologies.
For further insight into the payments and banking industries, subscribe now and stay up-to-date on the latest tips, trends, and topics. You can also check out The Payments Podcast, where experts engage each other on the real world factors impacting the payments and banking industries.