Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Federal Reserve Web Sites
Other Bank Regulatory Sites
January 22, 2018
Business Email Compromise Is a Growing Threat
In April 2016, I wrote about the work of the FBI’s Internet Crime Center (IC3) and the rise of reported cases of business email compromise (BEC) attempts. BEC involves what looks like a legitimate email from another employee or customer requesting a transfer of funds. Since I wrote that post, BEC attempts—both successful and prevented—have continued to increase dramatically. The latest figures from the IC3 website show that from January 2016 through June 2017, BEC attempts totaled $223 million, with losses at $148 million. BEC scams are also attracting a wider variety of criminals, including individuals, small gangs, and professional groups.
At first, the fraudsters primarily targeted financial institutions and businesses dealing in frequent and large-value transfers, such as law firms handling real estate or trust account transactions. But as fraudsters have proliferated, they've begun targeting companies of all sizes. Last May, the FBI issued another BEC alert, which includes useful descriptions of BEC scenarios based on actual cases.
The BEC attempt is usually not the start of the criminal activity but rather the culmination of an extended effort that began with the criminal hacking a business's financial records. The hack may have occurred when an employee opened an email with a bogus attachment or link that loaded malware on the computer, or when the criminal purchased a user's credentials off the dark web. Once the fraudster has accomplished the intrusion, a period of information gathering begins. The fraudster obtains current accounts payable records, wire transfer transactions, and transfer procedures, and may also comb social media for information that could be useful. Perhaps a targeted company official will be out of town attending a conference, or on vacation and difficult to contact.
BEC attempts generally have the following common elements:
- It is a funds transfer request.
- The request is based on a routine event or legitimate transaction.
- The bank account where the transfer is to be sent is new or has been modified in some way from previous transactions, or the requested method of payment is different.
- The request often carries a sense of urgency—late fees or breach of a contract are threatened—to encourage bypassing of controls.
To avoid falling into this trap, it is imperative that businesses have strong funds transfer controls that are monitored to ensure compliance. Also, businesses should have a continuing program of internal education (and perhaps testing) for all employees involved in funds transfer requests. The FBI suggests that the best control is to verify transactions through a second, independent means, similar to two-factor authentication.
There are several actions a business can take if it becomes a victim of BEC:
- Immediately contact the receiving financial institution to see if the funds can be frozen.
- Notify all relevant employees of the attack—multiple employees are often targeted.
- Contact the FBI or the Secret Service.
- Conduct an internal investigation to determine the point of compromise, and then take the necessary corrective action.
Finally, financial institutions with customer education programs should consider providing business customers with materials regarding this threat.
We are interested in hearing from you about your experiences with BEC and preventive practices. Criminals are constantly changing their attack methods and sharing information is a valuable way to help develop best practices.
By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
- An Ounce of Prevention
- Safeguarding Things When They’re All Connected
- Racing Ahead in the Wireless Space
- Insuring against Business Email Compromise Fraud
- The Case of the Disappearing ATM
- The First Step in Risk Management
- Who Owns Your ATM?
- With Social Engineering, It Takes Only One
- Protecting Our Senior Citizens from Financial Abuse
- The FBI Is on the Case
- October 2018
- September 2018
- August 2018
- July 2018
- June 2018
- May 2018
- April 2018
- March 2018
- February 2018
- January 2018
- account takeovers
- ATM fraud
- bank supervision
- banks and banking
- card networks
- check fraud
- consumer fraud
- consumer protection
- cross-border wires
- data security
- debit cards
- emerging payments
- financial services
- identity theft
- law enforcement
- mobile banking
- mobile money transfer
- mobile network operator (MNO)
- mobile payments
- money laundering
- money services business (MSB)
- online banking fraud
- online retail
- payments risk
- payments study
- payments systems
- phone fraud
- remotely created checks
- risk management
- Section 1073
- social networks
- third-party service provider
- trusted service manager
- Unfair and Deceptive Acts and Practices (UDAP)
- wire transfer fraud
- workplace fraud