BEC: Recognize a scam

August 28, 2023

What is Business Email Compromise (BEC)?

Business email compromise (BEC) is defined as a sophisticated scam targeting businesses that regularly make payments. To help you recognize the characteristics of these threats, we explain two common variants — the CEO impersonation and the payment instruction switch.

Business email compromise (BEC) is an increasing menace to small, medium and large organizations across the globe. The two situations outlined below are fictional, but based on real-world events. 

 

Scenario one: The CEO impersonation

The most common variant of the BEC scam is the CEO impersonation.

The pre-event set-up

In preparation to target fictitious company, “Computercorp” for their next scheme, fraudsters:

  • Perform an investigation to identify the management structure as well as key individuals within the company who are the most likely to process financial transactions.
  • Use searches like Google and LinkedIn to identify key individuals such as the CEO (Judy Exec) and the Controller (Henry Ledger).
  • Identify the email-naming format for the company through additional searches, and discover Judy Exec is on vacation through her social media account.
  • Create a lookalike domain (cmputercorp.com) through an online marketing company that offers free trial domain registration and hosting. They then set up a lookalike email address for Judy Exec to use during the impersonation.
  • Generate a PDF with payment instructions to an account they own.
     

The scam

The fraudsters initiate an email to the Computercorp controller, Henry Ledger, to begin the fraud scheme. They were able to procure a similar domain name to the one Computercorp uses. Notice below how the email is originated from fraudulent cmputercorp.com to a real employee at computercorp.com.

Initial email from the fraudsters:

From: Judy Exec <judy.exec@cmputercorp.com>

To: Henry Ledger <henry.ledger@computercorp.com>

Subject: Urgent payment

Henry,

What is the cutoff time for wires? I need to have this payment sent ASAP.

<Attached: PaymentInstruction.pdf>

-Judy

Sent from My iPhone
 

Response from the controller:

From: Henry Ledger <henry.ledger@computercorp.com>

To: Judy Exec <judy.exec@cmputercorp.com>

Subject: Re: Urgent Payment

Hi Judy,

Wires must be processed prior to 2:00 PM PT. How should I code the transfer?

-Henry

Final response from fraudsters:

From: Judy Exec <judy.exec@cmputercorp.com>

To: Henry Ledger <henry.ledger@computercorp.com>

Subject: Re: Urgent payment

Please code to my admin for now. Thanks.

-Judy

Sent from My IPhone


With this information in place, Henry hurries to initiate the wire transfer to the account in the payment instructions. Dual authorization is required. When the secondary approver calls Henry, he confirms that the request came directly from the CEO and is urgent. The secondary approver also approves the wire.

The money is sent to the fraudulent account.


The aftermath

Computercorp CEO Judy Exec returns from vacation. Henry sends her a note to confirm the allocation of the funds from the wire. Judy calls Henry immediately, claiming that she didn’t send instructions for a wire.

Henry contacts their bank to request a funds recall. The bank initiates the recall, but the funds moved from the fraudulent account and are no longer available. Next, Computercorp contacts their local FBI field office and reports the fraudulent event to the Internet Crime Complaint Center (IC3).

Because of this event, Computercorp strengthens their wire authorization controls by implementing callback procedures for all requested wire transactions.

 

Scenario two: The payment instruction switch

Another scenario involves fraudulently changing a known supplier’s payment instructions to divert funds to an account owned by criminals or their accomplices.

The pre-event set-up

An organized crime group targets fictitious company, “ABC Corp,” a U.S.-based global manufacturing company that makes frequent payments to foreign suppliers for goods and services. The crime group:

  • Identifies an ABC Corp overseas supplier by the name of “XYZ Supply.”
  • Compromises the email accounts of several XYZ Supply account reps who are using weak passwords on a web-based email system that has no secondary authentication.
  • Searches through emails for payment requests to customers of XYZ Supply. Notices an invoice to ABC Corp for goods, with an additional request for goods to be invoiced in the near future.
     

The scam

The criminals email the supplier manager at ABC Corp using the most recent XYZ Supply email chain and request a change in payment instruction.

The email doesn’t raise an alert with the supplier manager, because it’s legitimately from the XYZ Supply email account.

The supplier manager updates the payment system with the new account information assuming the email request is legitimately from XYZ’s account representative.

ABC Corp receives the goods and makes a wire payment to the fraudulent account provided by the criminals.
 

The aftermath

The day after payment, the supplier manager at ABC Corp emails the account representative at XYZ Supply to notify them of the payment. The account representative responds that the wire wasn’t received.

The controller checks the outgoing wires report to confirm the wire. That’s when ABC Corp discovers the wire was sent to a fraudulent account. The controller at ABC Corp calls their bank to request a funds recall, but it’s too late. The funds are no longer available in the receiving account and can’t be recalled.

ABC Corp and XYZ Supply split the cost of the loss, and later implement additional controls around payment instruction changes including callback confirmation procedures. XYZ Supply also commits to implementing stronger security controls on their web-based email system, including multi-factor authentication.

 

Prevent these fictional BEC scenarios from becoming your reality

These scenarios depict situations that your organization can avoid by using stronger internal controls. In both of these BEC frauds, a phone call directly to the requestor using a verified number could have avoided the situation

Stronger controls around email must also be part of any security strategy. Keep in mind that traditional email isn’t a trusted communication mechanism when dealing with critical activities such as money movement.

While no single control or set of controls will prevent your organization from being a target, we suggest these five tips to prevent your organization from falling victim to BEC:

  1. Confirm and verify email requests for fund transfers 
    Contact the requestor by phone using an independently obtained phone number or one that you already have on file. Pay special attention to transfers requested to new or recently updated accounts. Nearly all BEC scams can be stopped in their tracks if organizations adopt this basic control.

  2. Use dual control for money movement activities
    Dual control allows for two levels of scrutiny and authorization to help stem the risk of illegitimate funds transfers.

  3. Use multi-factor authentication for web-based email accounts
    Fraudsters may leverage actual accounts of executives with email credentials pilfered from spear phishing campaigns. Multi-factor authentication adds another layer of control to deter cyber crooks from accessing employee accounts. 

  4. Communicate quickly when fraud or security events occur
    Notify your key banking partners and information security staff immediately if you suspect BEC. If appropriate, contact law enforcement and file a complaint with the FBI Internet Crime Complaint Center.

  5. Create awareness within your organization
    Evaluate staff compliance with internal controls by using real-world security awareness testing. Finally, review your current payment controls to keep your organization safe from BEC.
     

For more on how to protect your organization from BEC, check out our fraud prevention checklist.

 

Business email scams are on the rise as more employees are working from home. Contact U.S. Bank for help with your fraud prevention plan.

Related content

What is CSDR, and how will you be affected?

Evaluating interest rate risk creating risk management strategy

Risk management strategies for foreign exchange hedging

Webinar: CRE technology trends

Avoiding the pitfalls of warehouse lending

The latest on cybersecurity: Mobile fraud and privacy concerns

Liquidity management: A renewed focus for European funds

5 questions you should ask your custodian about outsourcing

10 ways a global custodian can support your growth

The benefits of a full-service warehouse custodian

Best practices on securing cardholder data

Turn risk into opportunity with supply chain finance

Hospitals face cybersecurity risks in surprising new ways

Authenticating cardholder data reduce e-commerce fraud

Post-pandemic fraud prevention lessons for local governments

Webinar: Robotic process automation

Proactive ways to fight vendor fraud

5 Ways to protect your government agency from payment fraud

Fight the battle against payments fraud

Fraud prevention checklist

Complying with changes in fund regulations

Why Know Your Customer (KYC) — for organizations

The password: Enhancing security and usability

How to improve your business network security

Government agency credit card programs and PCI compliance

Cybersecurity – Protecting client data through industry best practices

Business risk management for owners of small companies

BEC: Recognize a scam

Evaluating interest rate risk creating risk management strategy

Increase working capital with Commercial Card Optimization

Protecting cash balances with sweep vehicles

Alternative investments: How to track returns and meet your goals

Manufacturing: 6 supply chain optimization strategies

Webinar: CRE Digital Transformation – Balancing Digitization with cybersecurity risk

Small business growth: 6 strategies for scaling your business

Disclosures

Start of disclosure content

Loan approval is subject to credit approval and program guidelines. Not all loan programs are available in all states for all loan amounts. Interest rate and program terms are subject to change without notice. Mortgage, Home Equity and Credit products are offered through U.S. Bank National Association. Deposit products are offered through U.S. Bank National Association. Member FDIC.