If your business escaped an attempt at business email compromise this year, you’re well within the minority. Over 71% of US businesses are targeted by cyber attackers in this way every year. So, how can organizations recognize the signs? In this piece, you’ll learn about real-life examples of business email compromise, how the companies reacted, and how to prevent this type of fraud.
To block the effects of these attacks, work with Trustpair to continuously control suspicious transactions, and block third-party payments before they’re executed. Contact an expert to learn more!
What is business email compromise and how does it work?
Business email compromise (BEC) is one way that criminals exploit companies, with advanced social engineering techniques. These fraudsters impersonate a known source over the email channel with the intent to gain sensitive information or finances.
The teams behind BEC attempts are highly organized and usually do a lot of research about their targets. This makes the entire scam feel very realistic and genuine to the victim and puts pressure on them to comply with any request.
Here’s how it works:
- The fraudster researches the organization they will impersonate, maybe by hacking into their systems, to learn how they operate and make the scam more realistic.
- They also choose their target by researching team members and setting the ground work for unsuspecting employees.
- The criminal sends their phishing email (typically spoofing a real email address at a real third party) and uses pressure tactics like time deadlines to encourage the victim to participate.
- The victim complies with the request because it seems real, and hands over access to personal information or finances.
4 real life examples of business email compromise
BEC can cause huge levels of devastation to businesses in the US, with $2.7 billion in losses last year alone. Here are four examples of BEC:
- Vendor fraud
- Third party fraud
- CEO fraud
- Gift card fraud
Vendor fraud happens when criminals impersonate a business’ supplier. Typically, the suppliers’ invoice is intercepted and the payment details might be changed, for example.
This is often successful thanks to social engineering techniques, like setting a short payment deadline, or stating that the payment is already overdue. It can be further exacerbated if organizations have no fraud detection mechanisms in place – such as an automated verification system for bank details.
Example of vendor fraud (BEC): Save the Children
The well-known children’s charity was scammed in 2018 by BEC fraudsters. First, a cyberhacker accessed a genuine employee’s email account, and then sent out fake invoices for fabricated suppliers.
One of these was for non-existent solar panels built in Pakistan, for example. Since the charity had a base in the country and had many legitimate contractors in the area, this made the attempt convincing.
The company’s accounts team fell for the scam and transferred over $1.1 million to the account, instantly withdrawn by the criminals. Luckily, they had an insurance policy in place which meant that Save the Children recovered over $900,000 worth of funds – only losing a small portion in the end.
Third party fraud
Third-party fraud is similar to vendor fraud, but the criminals impersonate a separate organization, such as a software company or a reselling platform.
Here, fraudsters might attack the systems of the third party through BEC, and then contact your business through their legitimate systems. They might ask for a change in bank details for payment, or request a change of log-in info to your systems.
Without the ongoing due diligence checks that would flag suspicious emails like this, most businesses would fall into the trap of handing over personal information to fraudsters.
Example of third-party fraud: New Jersey Company
In 2018, a company in New Jersey was targeted through BEC, by someone pretending to be its office landlord. The company was instructed to wire a very specific amount for rent, $51,040.99.
Unfortunately, the company in New Jersey didn’t have any sort of monitoring system for third-party risks. They complied with the request immediately. The impersonator, Anthony Dwayne King, was later convicted and jailed. The paper trail showed that he transferred a portion of these funds into his personal account the next day.
A note from the writer: as I am writing this piece, I have just received a phone call from someone pretending to be my phone provider. Fortunately, I’ve written enough of these pieces to spot the signs of fraudsters and vishing attempts. But it just goes to show that this is a practical issue affecting everybody – so training up your employees to be alert is oh so important!
When a criminal impersonates a senior executive, it’s known as CEO fraud. Here, the BEC scam uses carefully crafted language to ensure the impersonator uses the same words and phrases as the CEO and puts pressure on the victim to act fast.
The “CEO” might request that you send a payment to a new supplier, or set up the login details for a new contractor, for example. Generally though, they ask for an immediate fund transfer.
Example of CEO fraud: Pathe
In 2018, the film company Pathe fell victim to CEO fraud via BEC. The email channel became compromised when the country director of Pathe received an email from a fraudster impersonating the CEO.
The cybercriminal used sensitive inside information to convince the director that Pathe was in the middle of an acquisition for a company in the middle east. But what is even more surprising, is that the Director followed internal control policies and consulted several of his colleagues in senior positions before taking action.
But the scam was so convincing that the director made the confidential payment of over $931,000 and three further payments during the month, which totaled over $21.5 million.
Learn all there is to know about payment fraud in our latest fraud report!
Gift card fraud
Gift card scams are newer than many of the other forms of business email compromise. They reached peak popularity during the pandemic. Fraudsters were able to exploit the move to remote work. Between January and September 2021, over $35 million was reported in losses for gift card scams bought at Target stores alone.
The gift card scam works when attackers email your employees and ask them to go to a store and purchase gift cards using their company expenses account. Then, the scammer asks for the card identification numbers, with which they can redeem back the total amount remotely.
It worked because, during this transition period, there were ineffective control mechanisms around “work-from-home” policies. Employees were left without established regulations to follow and to make decisions independently. This opened the door to fraudsters.
Gift card fraud example: Rabbis targeted
In 2019, Jewish members of several synagogues fell victim to gift card scams, losing at least $2,500. The fraudsters impersonated a religious figure of authority (their rabbi) and knew the full name of these individuals, as well as other details about them.
They spoofed the real email address of the Rabbi and used Hebrew phrases like “Shalom Aleichem” (peace be upon you) to make the ruse more convincing. What’s more, several of the rabbis had recently led conversations around fundraising, which made the timing of the attack line up perfectly.
Once the gift cards were purchased, the fraudsters followed up asking for the identification codes of the cards. They then redeemed all the funds themselves. All of this took place without any sort of hack on their web systems, just very clever language and convincing targeting.
How can you protect your business against it?
Protecting your business against BEC isn’t quite as simple as upgrading your firewall or opting for a better email spam filter. These measures might be fairly successful, for a short period of time. Unfortunately, criminals these days have been able to get around these barriers with complex technology and new techniques.
So, it’s important to inform your employees of the scams they might be targeted by, and train them to spot the signs. For example, fraud awareness training most commonly covers the following topics:
- Fraud red flags
- Fraud reporting procedures
- Anti-fraud controls
However, placing all reliance on human factors is unlikely to be 100% effective. Instead, weaving automation into your processes can provide a more foolproof method for protecting against BEC scams.
For example, Trustpair’s anti-fraud payment platform verifies company information to find red flags. We spot suspicious recipients, automatically block payments and protect your company, even when employees fall victim to BEC fraudsters.
There are many examples of business email compromise. Phishing scams through BEC are common. They can be channeled through malicious vendor impersonation, fraudulent CEO pretenders, third-party phishing emails, and criminals asking your employees to buy gift cards. Fraudsters use social engineering tactics to improve their chances, but your business can rely on Trustpair to protect its payments from BEC scams.