Business email compromise (“BEC”) attempts have skyrocketed in recent weeks.
According to the FBI, fraud operators are using the “uncertainty surrounding the Covid-19 pandemic to further their efforts.”
With many in the U.S. shifting to a work-from-home environments, without the infrastructure and security in place to defend against newer, more sophisticated types of attacks, fraud operators are taking full advantage.
The threat of BEC is nothing new. In fact, $2 billion is lost every year to BEC attacks. According to the Association for Financial Processionals (AFP), 80% of surveyed businesses reported being targeted by a BEC scam.
Covid-19, however, has created new opportunities for BEC fraudsters.
BEC is usually executed using a spoofed email appearing to originate from within an organization and either requesting payment settlement or a change/update to an account to which the accounts payable department disburses payments. BEC scam may even originate from an executive’s hacked account, instructing that money be wired immediately to an account that the fraudster controls. Employees are then tricked into initiating payments from a request that appears to be coming from a leader within a trusted organization – a tactic known as phishing.
Today, a high number of these phishing schemes include the use of in-demand products or services (e.g., medical equipment, cleaning products, grocery delivery, etc.) to lure victims.
More targeted tactics have also developed recently, including hacking into and using compromised email accounts, known as “spear phishing.” Spear phishing uses a trusted / high-level person’s actual email in a targeted way to misdirect funds.
BEC tactics have also begun to target payroll funds. In this scheme, fraud operators exploit HR departments with a request seemingly from an employee to update direct deposit information. Worse yet, entire batches of ACH payments can be edited and misdirected into a fraud operator-controlled account.
How can businesses protect themselves from losses?
According to a newly released report from GIACT – the leader in helping companies positively identify and authenticate customers – the best way to prevent losses is to proactively validate account information using real-time, diverse data sets, before a potentially fraudulent payment is disbursed.
The most effective way to prevent losses is through robust account validation that goes beyond simply confirming if an account is active. Businesses should run all payments against a strict validation process, including confirming the following:
- Account status
- Payment history, particularly NSF (non-sufficient funds) or chargeback history
- Ownership and matching ownership to the payment originator
- Consistency of PII, including name, address, phone number, email and more
These validations should be run prior to creating a payment account, prior to initiating the first payment, as well as at every subsequent customer touchpoint, whether that be a payment, update to account information, and more. By doing so, businesses will be able to confirm if an account is legitimate prior to disbursing a payment.
In addition, businesses should consider adding email validation, verifying not only the name associated with the email address but also triangulating the domain, location of the domain, and age of the domain, among other items.
To read GIACT’s full report on BEC, Business Email Compromise: A Global Threat, click here.