Forged checks or stolen corporate cards are still the most popular means of attack by payment scammers, but another method — email compromise — is rising in popularity.
Email compromise scams are now the tip of the spear driving a rise in payments fraud activity, according to a report released on Tuesday by the Association for Financial Professionals.
In AFP’s survey of 700 treasury and finance professionals, 77% of organizations said they experienced attempted or actual business email compromise (BEC) scams in 2017.
The Federal Bureau of Investigation describes BEC as “a scam carried out by compromising legitimate business email accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds.”
More colloquially, BEC typically involves employees receiving what appear to be genuine emails from their senior executives requesting them to wire funds or asking them for personally identifiable information.
The Internet Crime Complaint Center actually identifies five kinds of BEC scams: bogus invoice, CEO fraud, account compromise, attorney impersonation, and data theft.
“Even though organizations are, to a larger extent, implementing measures to counteract BEC scams, fraud is evolving into new areas and levels of sophistication that are difficult to detect,” according to AFP.
About 54% of BEC scams last year targeted wire transfers, said AFP’s survey respondents, followed by checks at 34%. The prevalence of BEC scams has actually driven up the incidence of wire transfer fraud, according to AFP, which more than tripled from 2014 to 2017.
Similar to AFP’s 2017’s survey, more than 70% of finance professionals said that their organizations had implemented controls to protect their organizations from being impacted by BEC.
An additional 9% this year indicated that their companies were “actively in the process of determining what measures they need to have in place to prevent BEC.”
For example, companies are setting up education and training programs for their employees to help staff recognize potential email fraud, said AFP.
IT departments, in some cases, are sending out test emails to employees periodically so that they are better able to alert the finance team about possible suspicious emails and messages. In addition, “some companies are taking the extra step of calling requestors of funds using telephone numbers on file to validate requests,” AFP said.
Among the prevention tips AFP gave last year was that “finance team and senior management [should] always encourage staff to check before taking any action regarding a payment, such as implementing dual authentication — that is, transactions should not be authorized without a second signature.”
Companies should also plan for scenarios such as changes in an external supplier’s payment information.
“In many cases a simple call to a trusted phone number on file will ensure that the information is authentic,” according to AFP.
The financial impact of BEC scams is hard to assess. Less than half of organizations responding to the AFP survey were impacted by a financial loss as a result of BEC.
However, large organizations appear to be particularly at risk.
A greater share of organizations with annual revenue of more than $1 billion and with more than 100 payment accounts were financially impacted by BEC scams: according to AFP, 23% of respondents from this group reported their companies incurred a loss of more than $1 million as a result of a BEC scam in 2017.