One of the fastest-growing methods for perpetrating business payments fraud leverages an old technology—email. But experts suggest newer factors are accelerating the trend, including the spate of data breaches over the last few years and the rise of mobile technology and social media.
Payments fraud from business email compromise, or BEC, occurs when scammers use phishing tricks and email to fool businesses into making fraudulent payments to perceived suppliers. Typically the victim responds to a legitimate-looking spoofed email requesting an urgent wire payment to satisfy an invoice or avoid a late fee.
BEC crimes last year hit a new peak of 15,670 reported incidents totaling $675 million in losses, up 88% from $360 million in 2016, and almost double the number of reported incidents in 2015, according to the latest data from the FBI’s Internet Crime Complaint Center.
BEC is fueled by the trove of details available online about businesses, along with an uptick in cross-border commerce, experts say.
“Phishing is key to BEC and criminals have gotten really good at phishing,” said Al Pascual, a senior vice president of research and head of fraud and security at Javelin Strategy & Research. He noted the abundance of personally identifiable information exposed in data breaches that’s available on the dark web, but also the corporate details available on social media, including corporations’ own public web directories of employees’ email addresses, domain names and other information.
Though BEC isn’t a new crime—the FBI started tracking it in 2010—it’s also finding new targets within small and midsize businesses as global commerce spreads, according to Pascual.
“At this point most large companies have awareness and systems to deter BEC, but the vast majority of smaller and midsize companies lack training and are more likely to get caught in a sophisticated BEC trap,” Pascual said.
Most BEC-related fraud is centered on wire payments, followed by checks. But the rise of faster payments in global markets could add to risks for vulnerable businesses, Pascual said.
“Faster payments is a newer phenomenon, but it adds another level of exposure to companies that fall for BEC scams with yet another way for money to disappear through new fraud channels,” he said.
Statistics are lacking that show how many BEC incidents originate on mobile devices, but the growing usage of apps to authorize and manage commercial payments could heighten BEC risks further, some experts say.
“Employees at the targeted company are authorizing the money movement, so from the financial institution’s perspective, they are following legitimate instructions from their client,” said Shirley Inscoe, a senior analyst with Aite Group who focuses on payments security.
Banks are working to identify patterns in fraudulent payments originating from business emails, but it’s difficult because the number of crimes is relatively low, though individual business losses can be high, according to Inscoe.
“BEC crimes will continue to grow because the dollar amount of each loss is typically far larger than the fraud on a consumer account, the odds of the fraudster getting caught are extremely low and even if they catch the fraudster, the odds of getting prosecuted are low because this is typically a white-collar crime,” she said.
Security experts advise businesses to beware of urgent requests for payments, scrutinize the details of payments and use more than one internal factor to determine the authenticity of payments. Law enforcement agencies are also stepping up measures to deter BEC crimes.
The FBI’s Operation Wellspring routinely makes BEC arrests, and the U.S. Department of Justice in collaboration with the FBI this month announced the arrests of 74 individuals allegedly involved in BEC schemes. Over six months, multiple federal, state and local agencies including the U.S. Department of the Treasury rooted out some major BEC schemes targeting businesses and individuals in Operation WireWire.
The operation resulted in the seizure of $2.4 million and disruption of approximately $14 million in fraudulent wire transfers, the DOJ said. The majority of arrests in the operation were in the U.S., with 29 in Nigeria and three in Canada, Mauritius and Poland, according to the DOJ.
The FBI said the first wave of BEC scams began almost a decade ago, targeting U.S. business executives who received spoofed emails requesting payment for invoices from legitimate-seeming long-term suppliers based in Asia. By 2013, BEC scams originated in many regions, using various sophisticated tactics aiming to trick multiple recipients into making payments.
Perpetrators often pose as lawyers or accounts receivable executives, instructing recipients to make time-sensitive payments via wire transfer, but checks are also common, according to federal agencies. Accomplices often include people acting as money mules who receive fraudulent wire payments and transfer funds and launder the money through other accounts.
The FBI and the Justice Department have cracked down on BEC this year, and the FBI is working with multiple agencies and district attorneys' offices to stop BEC crimes and arrest money mules involved in the scams.
Businesses are gradually learning about the BEC risks, but it's difficult as the crimes rapidly evolve, Pascual said.