Understanding BEC and how to help protect against it

Among the most common types of B2B payment and business fraud is Business Email Compromise (BEC), also referred to as Email Account Compromise (EAC). In a BEC scam, criminals use email messages that appear to come from a known source in order to redirect payments. These scams cost companies billions of dollars annually but can be prevented with proper procedures and training.

BEC is a fast-growing cybercrime technique that’s garnered a lot of attention in recent years due to the number of reported instances as well as the magnitude of losses associated with it, impacting small businesses and large corporations alike.

Understanding what BEC is, how to spot it and how to report it is crucial in helping maintain the safety of your company and its assets. Here’s more information on this cybercrime.

BEC is a sophisticated scam in which fraudsters disguise themselves as a trusted entity and trick either an individual or a business into performing a transfer of funds through wire transfer, ACH or checks. The victim believes they’re conducting a legitimate transaction, only to find out later it was fraudulent, potentially resulting in significant losses.

When BEC scams first surfaced, fraudsters typically spoofed email addresses of C-level executives to request wire payments be sent to accounts owned by the fraudster. A spoofed email is when someone manipulates an email address to resemble a trusted one:

Valid email address:       janedoe@capitalone.com
Spoofed email address: janedoe@capitalon3.com

These instances still happen frequently and can be identified by taking a closer look at the email address information.

Fraudsters have evolved their schemes dramatically over the years and will sometimes compromise an email address or an entire email chain. This can be done by getting a victim to click on a phishing email or download a malicious attachment, which allows the fraudsters to compromise the targeted email address. They can then send and receive emails from what others may believe is a trusted source. In other instances, an entire email chain may be intercepted and manipulated by a fraudster or a team of fraudsters. In this example, fraudsters will insert themselves—using spoofed email addresses—into an existing email chain and begin to control the conversation. Being cognizant of this possibility can help mitigate the risk of falling victim to a request in an intercepted email chain.

You should also be mindful of other BEC schemes like spoofed emails from legal entities, requests for W-2 information or requests for gift card codes instead of cash.

As BEC has become an increasingly popular cybercrime, the number of reports and associated losses have also increased. The Internet Crime Complaint Center (IC3), part of the Federal Bureau of Investigation (FBI), releases its annual Internet Crime Report to cover statistics and topics from the past year.

In its 2020 annual report, IC3 noted the following statistics and findings about BEC:

• 19,360 BEC complaints were received in 2020 
• 63,517 BEC complaints were received between 2018 and 2020
• $1.8 billion was lost as a result of BEC in 2020, up from $263 million in 2015, which is an increase of 584% over that period
• $4.9 billion+ was lost as a result of BEC between 2018 and 2020, with increases year over year

Although schemes can vary based on the fraudster, the target and other factors impacting the situation, BEC scams often involve four steps:

• Identifying the target: The fraudster determines which company they will attempt to scam. Once a company has been identified, the fraudster will determine the employee(s) they will need to spoof or the email accounts to compromise, as well as who they will target to issue a wire transfer.
• “Grooming”: The fraudster attempts to become known and trusted by the prospective victim, setting up the scam. These acts include spear phishing, where the fraudster targets specific individuals with the authority to process payments. Sometimes fraudsters compromise a trusted vendor's email account in order to latch on to an already trusted source. Grooming can span several weeks in some scenarios.
• Exchanging of information/instructions: After the fraudster has taken control of a compromised account or effectively duped the victim into believing the fraudster is a trusted source, the victim will typically receive payment instructions that include information for a bank account owned by the fraudster.
• Initiating payment: Not realizing this is a fraudulent request, the victim will initiate the payment to the bank account owned by the fraudster. Oftentimes, the fraudster is able to quickly transfer the newly deposited funds to other accounts, including non-U.S. accounts from which the funds are difficult to recover, before the fraud can be detected and the malicious activity can be effectively thwarted.

Cybercriminals pursuing BEC leverage a wide range of tactics as they seek to identify new opportunities to achieve their illicit objectives. The FBI notes five major types of which businesses should be particularly mindful:

• CEO impersonation: A fraudster positions himself or herself as the CEO, CFO or another executive of a company by compromising or spoofing an email address, and directs an employee to transfer corporate funds to a bank account controlled by the fraudster.
• Account compromise: An employee of a company has their email address compromised and unknowingly used to request, initiate and/or authorize the transfer of funds to a bank account controlled by the fraudster.
• False invoice scheme: A fraudster purports to be a current supplier by compromising the supplier’s mail system or sending a spoofed email on behalf of a supplier that the company uses, and requests payment be made to a fraudulent account. 
• Attorney impersonation: A fraudster claims to be an attorney and issues a fraudulent request warning of the consequences of noncompliance, including the prospect of litigation. Employees at lower levels are commonly targeted with this scheme.
• W-2 form and other data theft: A fraudster targets a company’s HR department to obtain an employee’s W-2 tax form or other personally identifiable information, which can then be leveraged in a future attack. Executives are frequently targeted in this type of scheme.

Although these are commonly used schemes, fraudsters capitalize on all kinds of opportunities, and this is not an exhaustive list of all BEC scams one might see.

Spotting BEC scams before losses are incurred can be as simple as knowing what to look for. It is important to remain vigilant when these fraudulent requests are received. Malicious emails may often contain strange phrases, syntax, fonts or date formats. The FBI outlines a few indicators that should draw suspicion:

• Unexplained urgency
• Last-minute changes in payment instructions or recipient account information
• Last-minute changes in established communication platforms or email account addresses
• Communications only in email and refusal to communicate via telephone or online voice or video platforms
• Requests for advance payment of services when not previously required
• Requests from employees to change direct deposit information

If you become aware of a BEC scam, successful or not, an important next step is to file a complaint to the IC3 as soon as possible. In the event you or your company falls victim to a BEC scam, time is one of the most important factors for loss prevention and, if necessary, recovery of funds. Acting immediately may help reduce your losses. For Capital One business customers, contacting your relationship manager and reporting the incident to abuse@capitalone.com for further investigation are critical steps to help reduce your chance of losses.

Nothing can guarantee that you or your company won’t be targeted by a BEC scam. However, by becoming familiar with the various BEC tactics and taking the appropriate precautions before and after you receive payment requests, you can position yourself to combat this cybercrime. See below for additional suggestions on how to help protect your company against these scams.

BEFORE you receive payment requests

• Implement a dual approval requirement and limit the number of people who have authority to send money
• Establish intrusion detection rules that flag emails from addresses with domain names similar to the company’s domain name and where the reply address is different from the email address shown
• Utilize callback thresholds for monetary transactions
• Avoid sharing confidential information before confirming you’re communicating with a trusted source
• Work with vendors on a secure process to receive and verify payment instructions

AFTER you receive payment requests

• Perform a callback to a known client number (not the number in the request)
• Carefully review all email requests, especially if they provide new payment instructions 
• Avoid replying to suspicious emails
• Avoid clicking on links or opening attachments if you don’t recognize the sender
• Exercise additional scrutiny and verify changes with a secondary sign-off if changes are made to a payment request

As time goes on, fraudsters take new and sometimes complex approaches to attack individuals and companies. By becoming familiar with BEC, you’ll be more equipped to identify and report a scam before it impacts you. While cases reported and losses continue to rise, increased awareness and education are critical to help stop losses of sensitive information and funds.

For more information on Business Email Compromise, you can visit the FBI’s webpage on common scams and crimes.