Business Email Compromise Fraud
Business Email Compromise (BEC) attacks are on the rise. BEC is a form of cybercrime using email fraud to attack businesses. Across industries, companies have seen a significant increase in BEC attacks, which includes emails from spoofed or hacked email accounts requesting that account information be updated by the recipient (for both vendor payments as well as payroll). Many times, these emails impersonate a company executive, trade partner, or other known contacts. Typically, the fraudsters monitor email accounts for several months before the actual fraudulent request is presented. They monitor patterns, specific contacts, terminology, and other information.
When a request is received to update payment instructions, it is very important that the person being asked to make the change carefully reviews the request for legitimacy. It is challenging and often impossible to recover funds that are sent to a fraudulent account, so businesses should have appropriate training, policies, and procedures in place. However, by taking a few steps, you can mitigate this risk.
- Watch for incorrect email addresses, incorrect domains, grammatical errors, and messages that have a sense of urgency.
- We recommend that before making any account changes that you always verify by making a phone call to a vaild phone number on record (not one provided by a hacker in email, but via your source info) to provide a verbal confirmation to verify it is a valid request.
Check and ACH Fraud
In addition to BEC attempts, businesses should also be on guard against Check and ACH fraud. Checks continue to be the primary payment method most often targeted by fraudsters. Utilizing Payee Positive Pay fraud protection mitigates the risk of altered or counterfeit checks, as it validates the information presented on the check with what was issued. ACH fraud often starts with a check that is intercepted; the routing and account numbers are taken from the check and the fraudster originates an electronic debit to the compromised account. ACH Positive Pay will protect that account from any debits that are not authorized. To further reduce the risk of fraud, we encourage companies to develop a strategy to transition payments from paper checks to electronic payments.
The most recent AFP (Association for Financial Professionals) survey shared some key findings related to fraud trends that many businesses are seeing.
- In 2021, checks and ACH debits were the payment methods most impacted by fraud activity (66% and 37%).
- The fact that check fraud remains the most prevalent form of payments fraud is not surprising. Checks continue to be the payment method most often used by organizations.
- 68% of organizations were targeted by Business Email Compromise (BEC) in 2021.
- Accounts Payable (AP) departments are most susceptible to BEC fraud; 58% of respondents report their AP department was targeted by email scams.
Steps to prevent fraud
There are steps your company can take to prevent BEC and other forms of fraud.
- Take advantage of fraud protection solutions like Positive Pay to help protect your accounts from financial losses.
- Implement internal and external procedures for payment instructions – for sending and receipt. Also, implement dual controls and approvals for additional authorization. Here are some suggested procedures:
- Define procedures for updating information with your vendors.
- Use verification procedures to confirm customer information is legitimate, like secondary channels or two-factor authentication (especially when they are adding new accounts).
- Refrain from supplying login credentials or personal identifiable information of any sort via email.
- Ensure any URLs in emails are associated with the business/individual they claim to be.
- Perform annual audit and review of all your customer lists and their information.
- Talk with your IT partner to ensure your security software is most current.
- Regularly reconcile your account/s.
- Fraud likelihood increases when businesses don’t take the time to reconcile their accounts daily. Businesses should focus on daily, or at minimum, weekly account reconciling.
- Conduct a Cyber Risk Assessment – Work with your risk management team to uncover potential risks and threats to your business.
- Purchase Crime and Cyber Insurance – Talk with your JFG Insurance advisor about the specific coverages to have in place should a breach occur.
Proactively protect your business
While BEC and forms of ACH and check fraud continue to rise, there are ways to be proactive and protect your business from financial losses. Raising awareness, taking action with your teams, vendors and clients, and putting solutions in place will save you a lot of time and money in the long run.
If you discover you are the victim of a fraud incident, immediately contact your financial advisor or treasury management consultant. Regardless of the amount lost, file a complaint with the FBI’s Internet Crime Complaint Center or, for BEC/EAC victims, BEC.ic3.gov, as soon as possible. Our team is here to help your business with fraud protection. Contact a Johnson Financial Group Advisor to discuss your options to help keep your business and finances safe.