Protect Your Business
By: Scott Willman, Compliance, BSA, Fraud Intervention
The second edition of our Fraud Blog focuses on the most financially damaging method of online fraud: Business Email Compromise (BEC). Most importantly, this edition provides tips on how you can insulate your business from fraud losses. It’s not meant to downplay the severity of recent ransomware attacks that are deserving of the headlines they’ve garnered far and wide. BEC, on the other hand, is more common and causes more financial damage in totality.
According to the FBI Crime Report for 2020, more than 19,000 businesses suffered losses totaling over $1.8B through BEC scams. BEC losses triple the next leading cybercrime. The surge in online business communications nowadays has increased the pool of potential targets for fraudsters. The Federal Trade Commission began sending alerts in March of 2020, in the early stages of the COVID-19 pandemic. One important finding was that small and mid-sized businesses are much more vulnerable given their inability to fund effective cybersecurity programs. If your business uses email for payment communications, you must run a tight ship.
So how does BEC work?
Fraudsters target businesses that routinely send wire transfers and communicate with vendors via email. They typically target a “key employee,” such as a bookkeeper, by sending them a malicious email (i.e., phishing/spoofed emails) to trick the key employee into thinking they are communicating with a trusted person.
Here’s an example: A criminal gathers information about your company on your website and other various channels. Next, they disguise themselves as one of your regular providers, sending your bookkeeper an email that looks similar to the emails your regular provider sends. It often comes with an invoice carrying a different mailing address or different banking information than what your regular provider uses. Your bookkeeper believes they have valid information and sends payment. The money, of course, is sent to the fraudster's account and is whisked away quickly. On average, this very scam costs businesses over $100,000 per transfer.
How can you protect your business?
As more business is done through digital technology, the importance of having solid IT knowledge at your disposal can’t be understated. Use IT security professionals as a resource to help train your employees, and to help customize any digital payment procedures. Making confirmation calls to verify your payment instructions may seem bothersome, but it’s for the good of all parties involved. In closing, we encourage you to be proactive and implement safeguards before fraud strikes your business. Below are five helpful tips we hope you will consider implementing in your business’ operations:
- Don’t pinch pennies on cybersecurity. Have capable IT resources to call upon if you don’t staff them.
- Verify payment and purchase requests by calling your designate point of contact to make sure it is legitimate. If your contact informs you of a change in account number or payment procedures, always verify it by speaking directly with your trusted point(s) of contact.
- Constantly coach and remind your staff about email security. Employees who process payments must be attentive to detail. Everyone should know not to click on anything in an unsolicited email or text message asking to update or verify account information. Look up vendors' publicly listed phone numbers on your own (don’t use the one a potential fraudster is providing), and call the company to ask if the information is correct.
- Get in the habit of carefully examining email addresses, URLs, and spelling used in any correspondence. Fraudsters use slight differences to trick your eye and gain your trust.
- Be careful what you download. Never open an email attachment (i.e., invoice) from someone you don't know. Email attachments are a common way of installing malicious software on your company's computers. Be especially wary if the requestor is pressing you to act quickly.