Business Email Compromise (BEC) Attacks: The Top Cause of Payment Fraud

More organizations suffered payment fraud attempts from business email compromise (BEC) attacks than any other method in 2019, according to a recent report from the Association for Financial Professionals. In BEC attacks, fraudsters attempt to deceive employees into making payments by sending phishing emails that impersonate company executives, vendors or other trusted sources. The AFP, which represents professionals working in treasury and other financial roles, found that BEC attacks became more prevalent last year than any other payment fraud tactic, including forged checks and stolen credit cards; three quarters of surveyed organizations experienced BEC attempts.[1]

It’s not all bad news, though: Even though the number of organizations experiencing BEC attacks in 2019 was extremely high, it was actually slightly lower than the preceding year, marking a turnaround after four straight years of growth. And fewer organizations lost money: 38% reported losses due to business email compromise attacks, compared with 54% the previous year.

The reduced losses are partly because organizations have implemented security awareness training and controls that enabled them to recognize and prevent more attacks. Unfortunately, the improvements were by no means evenly distributed: among big organizations with revenues over $1 billion, fewer were able to avoid becoming victims than in previous years. While most organizations encountered relatively few BEC attempts, 10% to 20% of respondents faced as many as 100 last year, and a handful experienced an even greater number of attacks.

According to Tom Hunt, AFP’s Director, Treasury Services, “payment professionals are smarter now, so they’re more apt to identify BEC attempts” targeting corporate treasury organizations. “But it’s concerning that the attacks are shifting more into the rest of the organization, and especially into accounts payable. Especially with large companies characterized by greater segregation of duties, lax controls can cause problems, especially if internal audit isn’t measuring how payment policies are being followed outside the treasury.” The AFP report says BEC attacks also occurred against human resources, operations, sales and marketing, executive management, and other areas of the business.

Vendor Impersonation is Rising

Traditionally, fraudsters have often impersonated senior executives or payroll processors, according to the AFP. Those attacks continue, but there’s increasing impersonation of vendor business partners. “More vendors are getting their systems hacked, so hackers can easily provide fictitious information in the name of legitimate trading partners,” says Hunt. “If an A/P clerk isn’t following protocols by calling the phone numbers on file for a trading partner, or even faxing, they’re much more vulnerable.”

Many business email compromise attacks attempt to extract payment via wire transfers, in which money is transferred immediately and often is not recoverable. But as more organizations have recognized the fraud risk associated with one-off wire transfers and taken steps to prevent it, some criminals are exploiting slower ACH electronic payments instead. While there’s typically more time to reverse fraudulent ACH payments if they’re discovered, Hunt points out that these payments may fly beneath the radar at many organizations, because the individual payments are routinely processed as part of large batches. As a result, ACH fraud may not be discovered in time unless a vendor happens to call to ask about the status of a payment that hasn’t been received, and the company realizes it went to the wrong account. “Whatever processes and policies you have for wires should be replicated across other payment types,” Hunt says. “Trust but verify. Carefully validate requests to change banking information. Build processes around known callback contacts, and keep that information up-to-date.”

End-user Awareness Training is Critical

End-user security awareness training is critical to preventing successful business email compromise attacks, Hunt stresses. “That’s a constant and ongoing challenge, as the threats evolve and fraudulent messages look increasingly authentic.” When it comes to education, cybersecurity and finance professionals can collaborate and support each other. “Be vigilant in keeping your training up-to-date. And create an environment where it’s OK to question, especially about payments: to validate, revalidate, confirm changes, and ask for follow-up, even if that sometimes delays the process.”

As part of their cybersecurity education, employees should be reminded that BEC attempts don’t always directly involve payments. Criminals may also ask for personally identifiable information (PII) or employee W-2 forms, which they can then use to steal tax refunds or break into individuals’ personal financial accounts. This can cause reputational damage to the organization, as well as financial damage for the unfortunate individual.   

Since AFP conducted its research, the coronavirus pandemic has caused enormous disruption for organizations and triggered an increase in malicious cyber activity. “With people working at home, we’re hearing about more fraud attempts exploiting the vulnerability of communications, and people not following internal procedures they would routinely follow in the office,” says Hunt. Collaboration between treasury and IT security around risk management is more important than ever. Hunt suggests that treasury and cyber security professionals can work together more closely to identify fraudulent emails and block corresponding IP addresses before recipients can be tempted into costly mistakes.

The Bottom Line

Business email compromise remains a threat to all organizations. BEC attacks increasingly target employees in multiple departments across the organization, leverage hacks against supply chain partners, and pursue lower-profile ACH payments instead of wire transfers. To beat them back, financial and cybersecurity professionals need to work together—focusing on security awareness training as well as secure email technology, strengthening payment processes, and building a culture where employees are encouraged to raise questions and double-check doubtful requests.

[1] 2020 AFP® Payments Fraud and Control Survey Report, Association for Financial Professionals