Companies should take notice of a new fraud scheme that has been making the rounds, targeting businesses that regularly make wire transfers. Known as the “Business E-mail Compromise,” or BEC, this scam targets employees responsible for wiring money, instructing them under false pretenses to wire large sums to fraudulent accounts. The Federal Bureau of Investigation estimates that the scam has claimed over 2,000 victims and resulted in losses totaling nearly $215 million since October 2013.
In one version of the BEC fraud, the e-mail accounts of high-level business executives (CEO, CFO, CTO, etc.) are compromised by the creation of spoof e-mail addresses. The imposters then use the compromised executive’s e-mail account to send a request for a wire transfer to a second employee within the company who is responsible for processing such requests. This version of the scheme has been referred to as “CEO Fraud” or the “Business Executive Scam.”
In another variation of the scam, businesses which have a long-standing relationship with a particular supplier or vendor (i.e. a landlord) receive a spoofed e-mail purportedly from that vendor directing the business to wire funds for invoice payment to an alternate, fraudulent account. This version of the scheme has been referred to as “The Bogus Invoice Scheme” or “The Supplier Swindle.”
Are you prepared to detect and prevent a BEC fraud? Asking yourself and your teams the following questions may help:
- Have you educated your employees about these scams and encouraged them to be suspicious of unusual, urgent, and secret wire instructions? You should!
- Do you have a policy in place that requires employees with wire approval authority to escalate all requests to change a wire recipient’s account information? You should!
- Do you have a policy in place that requires those same employees to escalate all requests to add a new wire recipient? You should!
- Do those policies apply to both external and internal requests? They should!
- Have you configured your company’s e-mail servers to filter out or flag self-domain spoofing? You should! Check out Microsoft’s “Best Practices Guide for Configuring EOP.”
If you answered “no” to any of these questions or would like additional information, please contact Randy Luskey and Walt Brown.
More information about the fraud is available from the Internet Crime Complaint Center (IC3), a partnership of the FBI and the National White Collar Crime Center.