BEC Targets CEOs
With global losses climbing to more than $5 billion, business email compromise (BEC), also known as “CEO fraud” is a sophisticated scam plaguing businesses large and small. A criminal gains access to a corporate email account and spoofs the owner’s identity to defraud the company. Targets often include companies that frequently transfer money electronically via wire transfer or conduct business regularly overseas with suppliers, but they aren’t the only victims.
Complicating matters is that legitimate wire transfer requests are often urgent, says Treasury Management Officer Alicia Anderson. “Usually a wire is immediate,” she says. “It needs to be processed quickly and clients don’t always see the value of signing forms or waiting for call backs, but it’s in their best interest to do so.”
Although now all banks are required to adopt and follow security measures to verify wire transfers, First Business Bank embraced best practices before it was required. “When I came to First Business Bank, I was really happy to see that we were already doing this,” Anderson says. “From our CEO Corey Chambas on down, we always emphasize we have clients’ best interests in mind.”
Before you write off this crime as one that happens to other businesses, not your team, check out these alarming statistics:
- Losses attributed to BEC skyrocketed more than 2,000% since 2015
- More than 400 companies are targeted daily
- 38% of victimized companies are small or medium-sized businesses in all industries
- More than 200 employers fell victim to rapidly increasing W-2 BEC scams in 2017, compromising employees personal information
If you’re still not convinced, here are real BEC fraud attempts:
On January 24, 2018, First Business Bank received a $15,850.00 wire transfer request via email from a business client CEO. The email came from the CEO’s business email address, and the business’s bookkeeper was copied on the email. Our bank employee emailed back a blank wire request form and blank wire agreement to complete the transaction. Soon, a return email came from the CEO’s email that included the completed wire request form and wire agreement, both of which also had the CEO’s authentic signature. Our wire desk took the documents and began to process the wire transfer, conducting the out-of-band authentication — a phone call back to the client’s phone number on our bank records. Based on that call from our wire desk, we determined this request was fraudulent and stopped the wire transaction. The bank followed its procedures, encouraging the client to file an incident report with the Internet Crime Complaint Center (IC3), document the transaction, work with law enforcement, and contact the beneficiary bank, among other actions.
The business client’s IT department determined that both the CEO and bookkeeper’s corporate email accounts were compromised in November 2017. Between then and the fraud attempt, the criminal monitored the email accounts and obtained the business’ account number information as well as a sample of the CEO’s signature. All the fraudulent emails between the criminal and the bank regarding the wire transfer request were directed immediately to the Deleted folder of each of the email accounts so neither the CEO nor the bookkeeper were aware of the fraud in progress. The originator of the wire transfer request emails was traced to an IP address in South Africa.
On January 16, 2018, an authorized wire transfer originator for a nonprofit business client initiated a $28,826.00 wire transfer request from First Business Bank to a person at Wells Fargo. We received and verified all appropriate documentation, and conducted out-of-band authentication per bank policy to an authorized person other than the wire transfer originator to verify the legitimacy of the request. Later in the afternoon of 01/16/18, the Executive Director of the nonprofit contacted us to report that the wire transfer request was fraudulent, and that he shouldn’t have approved it. Earlier, the Executive Director approved the wire request based on an email he believed was from his colleague, who also was an authorized account signer; however, they discovered an imposter had sent the email requesting the wire transfer. While reviewing the emails after the incident, the client noticed several grammatical errors that could have been a warning sign. The bank followed its procedures, encouraging the client to file an incident report with the Internet Crime Complaint Center (IC3), document the transaction, work with law enforcement, and contact the beneficiary bank, among other actions.
On December 12, 2017, the President of a business client received a phishing email from a criminal that harvested his credentials. The criminal then sent an email to the contacts in the President’s address book, including an email to First Business Bank for a wire transfer request for $148,500.00 to a receiver with which the business had no prior payment history or documented business relationship. A bank representative replied to the email that we needed a completed wire transfer request form and sent a blank form via secure email. The criminal was unable to open the secure email and asked the bank representative to fax wire instructions. The criminal then instructed the bank to send the $148,500.00 to an account at another bank. When the bank performed the out-of-band authentication — a phone call back to the client’s phone number on our bank records, the fraud attempt was uncovered and stopped — no funds were lost thanks to internal bank controls. The bank followed its procedures, encouraging the client to file an incident report with the Internet Crime Complaint Center (IC3), document the transaction, work with law enforcement, and contact the beneficiary bank, among other actions.
Upon reviewing the situation, the client’s IT department discovered that the domain name of the fraudulent email used was misspelled by only 1 character, closely simulating the client’s authentic domain name. If you have email, you’re vulnerable to business email compromise.