Business email compromise (BEC) remains a source of major consternation for businesses. In 2014, the FBI’s Internet Crime Complaint Center (IC3) fielded 2,400 complaints about BEC, with collectively reported losses totaling $226 million. Compare that to 2020, when BEC complaints received by the center reached 19,000 and losses added up to $1.8 billion, and it’s easy to see that the problem is getting worse and clearly isn’t going away.
Statistics from the Association for Financial Professionals’ 2021 “AFP Payments Fraud and Control Survey Report” also underscore the prevalence of BEC. More than three-quarters of individuals surveyed for the report noted that their organizations had been targeted by BEC attacks.
Given these figures, it’s important to know what to look for when it comes to BEC, and how to fight back against it.
- BEC can manifest in several different forms, as “scammers are nothing if not creative,” according to Nacha. However, a typical incident starts with the receipt of an email that appears to be legitimate in several ways. For instance, the “from” line frequently includes the name of the CEO or another company official. The text features a request to change payment information, often, Nacha indicates, “for a vendor and always complete with a new account and routing number.”
- Believing that the email is truly from the “sender” and is entirely legitimate, the recipient complies with the instructions it provides. Everything seems to be fine—until the real vendor inquires about the status of the payment expected. Most likely, the money is gone forever.
- Other ways in which BEC schemes are carried out encompass telephone calls, and faxes. Some fraudsters send letters by mail.
One Call Does It All
No matter how BEC is perpetrated, a single telephone call can stop it in its tracks. During Nacha’s Smarter Faster Payments Remote Connect event this past August, Brian Walsh, an FBI agent, noted that “human contact, verbally confirming this information, can defeat many of these frauds.”
Nacha recommends that businesses encourage their employees to call “whoever supposedly sent the email, even if it’s the CEO, and verify its authenticity.” Employees should also be instructed to use their cursor to hover over the sender’s name to view the sender’s email address. They should look carefully to see whether the email is really from whom it claims or from some other domain. Either way, employees, should then refrain from hitting “reply” and instead, forward it to what they know is the correct address with a question asking if it is for real.
A recent Nacha blog includes an anecdote that illustrates how teaching employees to double-check the authenticity of emails can “save a world of trouble.” The anecdote also highlights some key indicators that an email is from a scammer rather than a vendor or other legitimate party. A company received an email from a purported “client,” insisting that it was entitled to a payment on a $30,000 invoice. The company had already made an ACH payment to the client’s business account. There had been no telephone communication from the “client”; only email.
A close look at the “client’s” email showed that the domain name was off by one character. The company followed up with a phone call to its real client, who stated that he had never sent any emails about a missing $30,000 payment and had received payment via ACH. In this situation, a phone call headed off BEC at the pass.
Help From Financial Institutions and Nacha
According to Nacha, businesses can look to their financial institution as a primary source of education about and assistance with identifying and preventing BEC-type scams. Financial institutions can also help with recovering funds lost to such scams. Original financial depository institutions (ODFIs) can provide help with controls and with detecting anomalies. Receiving depository financial institutions (RDFIs) can pitch in by helping businesses—and consumers—identify and detect schemes in which their accounts are used as “money mules” to facilitate the fraudulent flow of funds.
For its part, Nacha can assist via its ACH Contact Registry. For instance, an RDFI with one or more unexpected large credits to a new account can obtain additional information from the ODFI, using the ACH Contact Registry to find the right ACH contact there. Similarly, the ODFI of such a credit could harness the registry to locate the name of the RDFI’s ACH contact to get help recovering funds lost because of a BEC scheme.
Pushing back against BEC is a critical strategy for businesses of all types. So, too, is harnessing secure payment options.