Businesses today would struggle to exist without email, but this communication must-have is also the scammers’ favourite tool.
One of the most widespread types of cyber attacks that businesses suffer from is fraudulent emails.1 Most cyber attacks start with phishing emails that exploit human vulnerabilities through social engineering.
The United States FBI estimates that worldwide losses from email scams amount to USD26 billion2 over the past three years and are rising. It isn’t surprising, therefore, that business email compromise (BEC) makes up the largest percentage3 of cyber crime insurance claims.
Exploiting emails
In a BEC scam, criminals send an email message that appears to come from a known source making a legitimate request.4 These scams target businesses working with foreign suppliers and/or businesses that regularly perform wire transfer payments.5 Such scams usually target individuals who have easiest access to company funds.
Before BEC attacks begin, fraudsters collect corporate data through various sources that are publicly available like social media and buying credentials in the dark web to identify targets. Social engineering techniques such as vishing and phishing are also used as bait to solicit company information.
Around half of BEC scams contain malware, capable of damaging computers, servers and networks. Sometimes, phishing emails, when opened, install malware that enables them to monitor a company’s transactional behaviour between employees and third parties, business lingo and identify individuals that regularly initiate fund transfers. Such information is monitored over a period before the scammer moves in for the strike.
There are several variations of BEC scams. Among these variations, up to 43 per cent involves the impersonation of a CEO or Founder.6 Sometimes referred to as CEO fraud, hackers know that when employees receive an email ‘from the CEO’ they rarely question such a request and will react immediately. What businesses should realise is that most of the time, this results in leakages of confidential company information and financial losses.
Another common type of BEC variation involves impersonating or hacking into vendor accounts to trick the victim. The email to the victim is usually supported with fake invoices or an excuse to change bank transfer details to deposit funds for services and products that are never delivered.
Capitalising on human psychology and instant payments
Most people believe that they are unlikely to be fooled. This psychological trait is known as optimism bias, and one that fraudsters rely on. Combine this with the natural instinct to respond to seniority, it’s no wonder how easily employees fall victim to BEC scams.
Andrew Marshall Hardy, Head of Fraud Risk for Corporate, Commercial and Institutional Banking (CCIB), observes that “if you look behind the psychology of social engineering scams, it’s all about the fraudster leveraging habits, and manipulating behaviour to get the victim to give up confidential information or act, like making a payment when it’s not in their best interests to do so.”
In most BEC scams, funds are consciously authorised by the victim. For example, employees of a business instruct their bankers to pay out funds to scammers thinking that these are legitimate business transactions. What businesses should know is that once scammed, it is difficult to recover the funds or obtain restitution.
Furthermore, with real time payments, as soon as funds are released, they are either withdrawn instantaneously or routed to a web of other accounts, making them difficult to trace or recover. In 2019, UK Finance, the trade body for banking and financial services companies, reported over 122,000 of such incidents with gross losses of GBP 455.8 million.7
An upward trend
Fraudsters have been particularly busy during the Covid-19 pandemic which provided an ideal opportunity to perpetuate fraud, taking advantage of lockdown anxieties and changes in online business practices.
This is an upward trend that Andrew believes is here to stay beyond the Covid-19 crisis. “We believe this trend is likely to continue as social engineering and the use of sophisticated cyber techniques to access company computers are yielding rich pickings for fraudsters.”
And these are rich pickings indeed. According to legal intelligence firm JD Supra, fraudsters earn around USD 75,000 per incident.8
“It’s a full-time job for a fraudster to scout for victims and exploit them,” says Andrew. “There are organised crime groups backed with funds, technological resources and employing professionals to carry out calculated attacks.”
Fight the Fraud
In an era of growing fraud, businesses must step up vigilance and investments in awareness training and technology to detect and prevent BEC. There is no room for complacency.
“Everyone in an organisation from the CEO down needs to be involved in preventing BEC,” says Lisa Robins, Global Head of Transaction Banking.
“Businesses need to discuss BEC attacks within senior management meetings and with account staff and understand its risk to the organisation. For example, by conducting risk assessments, areas of vulnerability can be identified and addressed. Staff should be encouraged to speak up if they see potential risks.”
“Together with cyber security, practical steps for preventing BEC scams means training and educating employees particularly those who execute payment transactions, with an emphasis on constant vigilance,” she adds.
Here are a few additional actions businesses can take:
- Never rush into making payments. Always question and validate new payments or changes to existing payment arrangements;
- Practice segregation of duties between employees authorised to initiate instructions, approve payments and reconciliation of account balances;
- Emphasise the importance of good cyber security habits, e.g. avoid clicking on unknown links or downloading attachments from unknown senders, hover the mouse over the email address or weblink to check the domain URL;
- Use strong passwords and implement two-factor authentication for online payment transactions and email accounts to minimise the risk of hacking;
- Provide regular fraud awareness and internal controls training for all staff.
Partnership against fraud
“Although our clients may be doing all they can to keep themselves safe from cyber criminals, fighting fraud is not an easy task that any one organisation can take on alone, and the Bank is a supportive partner”, says Lisa.
At Standard Chartered, we are committed to tackling all the financial crime threats we face by working with partners in the private and public sector. Where we identify red flags and typologies based on accounts used to receive the proceeds of fraud, we share these with regulators and our industry peers.
Together, we can mitigate financial crime and stop those that seek to profit at the expense of us all.
Three steps to fighting fraud:
Spot the warning signs: Check that the email address is correct. Hover your mouse over it to see if the domain URL matches. Look out for unexpected changes in the email domain as this can indicate spoofing.
Stop: Never rush into payments. Always verify with the recipient when making any changes to the recipient’s bank account details.
Report: If you suspect that you are a victim of fraud, report it to the Bank and to your local authorities straight away. The quicker you report it, the higher the chance of recovery.
Find out how you can protect your business against other fraud tactics
1 Proofpoint’s State of the Phish Report
2 Business Email Compromise, The $26 Billion Scam
3 Top 10 Cybercrime Claims: the AIG List
4 FBI definition: BEC
5 FBI definition: BEC
6 Threat Spotlight: Barracuda Study of 3,000 Attacks
7 Finextra: APP fraud losses
8 JDSupra: FBI Warns Companies to Be Vigilant