Businesses have lost billions of dollars to a growing scam known as a BEC scam. Fraudsters impersonate company executives in emails that order staff to transfers large sums to accounts controlled by criminals, according to the Federal Bureau of Investigation.
According to the Internet Crime Complaint Center, the amount of losses incurred to U.S. businesses between October 2013 to August 2015 has reached over $747 million, while those of non-U.S businesses reached over $51 million in the same period.
When these totals are combined with those from international law enforcement agencies during the same time period, the BEC exposes loss is brought over $1.2 billion.
According to a FBI Public Service Announcement, there has been a 270% increase in identified victims and exposed loss since January 2015. All 50 states have reported the scam, as well as in 79 countries; however, the bulk of these transfers are going to Asian banks located withing China and Hong Kong.
The FBI’s alert said that fraudsters go to great lengths to spoof company email accounts and use other methods to trick employees into believing that they are receiving money-transfer request from CEOs, corporate attorneys or trusted vendors.
“They research employees who manage money and use language specific to the company they are targeting, then they request a wire fraud transfer using dollar amounts that lend legitimacy,” the alert said.
The size of these losses vary widely from case to case.
Some tips to avoid becoming a victim of BEC scams:
- Verify any changes in a vendor’s payment location and their request for funds.
- Use a secure business e-mail service, rather than a free, web-based service because they are easily hacked.
- Be careful when posting financial and personnel information to social media and company websites.
- Be suspicious of requests for secrecy or pressure to take action quickly, especially when there’s a wire transfer involved.
- Consider financial security procedures that include a two-step verification process for wire transfer payments.
- Create intrusion detection system rules that flag e-mails with extensions that are similar to company e-mail but not exactly the same. For example, .co instead of .com.
- If possible, register all Internet domains that are slightly different than the actual company domain in your spam detection system, for example abc-company.com is your domain, while abc-company.co is not.
- Know the habits of your customers, including the reason, detail, and amount of payments. Beware of any significant changes.