The Business E-mail Compromise scam has been around for a few years, but as a new analysis from the FBI’s Internet Crime Complaint Center shows, it is a scam that has grown so large that it costs American companies hundreds of millions of dollars a year. Worldwide, this scam racked up more than $5 billion in losses or attempted losses between October 2013 and December 2016.
There are a number of variations on how this scam works, but here are the basics:
The fraudster either spoofs an e-mail account or is able to hack an account at a victim company. The fraudster then sends an invoice to a second company demanding payment. Both companies typically have a long-standing relationship, and that invoice doesn’t look out-of-the ordinary. The fraudster arranges for the funds to be wired to an account he controls.
In a variation of this scam, the fraudster gets control of an e-mail account belonging to an executive at the victim company—a CEO, CFO, or the like. Using that executive’s persona, he sends a request to the finance department asking for a payment to be wired to another vendor immediately. The unsuspecting employee makes the transaction happen quickly to keep the boss happy. Regardless of how the scam plays out, the victim company suffers the loss.
Of particular concern in Oregon are the small and medium-sized businesses that are getting hit by this scam. Due to their size, they are often less likely to prepare for or recover from such a scam.
So what can businesses do? Here are a few options:
- Require digitally-encrypted signatures by businesses on both ends of a transaction.
- Require two-factor verification for money transfers, particularly big ones. For example, you could require a telephone call to confirm significant wire transfers either within your company or between your company and a vendor. Be sure to set up this protocol early in the business relationship and outside the e-mail environment. When the fraudster hacks your e-mail account, you don’t want him to be able to see how to evade your security protocols.
- When confirming requests, don’t rely on phone numbers or e-mail addresses embedded in the request. Look up the number from an external source when calling.
- For e-mails, make sure you “forward” your response as opposed to hitting “reply”. That way, you are using a real—not spoofed—e-mail address by manually typing it in or accessing it from your existing contact list.
- Train your employees to watch for suspicious requests such as change in a vendor’s payment location.
If you suspect that a fraudster has victimized your company, it is important to act quickly. Contact your bank right away, and call your closest FBI office. Also, make sure you report the incident to the Internet Crime Complaint Center at www.ic3.gov.