Know the signs of business email compromise, or risk losing money that can never be recovered

Business email compromise (BEC) fraud has been increasingly successful, so it has become more pervasive. The FBI recently reported a 270 percent increase in identified victims and exposed loss from BEC events between Jan. 2015 and April 2016.

“They’ve invested more time and better tools to ramp up the level of sophistication to improve their success rate,” says Jim Altman, middle market Pennsylvania Regional Executive, Huntington Bank. “It’s an easy way to get money and it will continue until it’s not.”

Smart Business spoke with Altman about BEC, how to identify it and what CEOs can do to stop it from happening in their companies.

What are the characteristics of BEC fraud and what forms might it take?

BEC happens when a fraudster masquerades as a company executive and uses what appears to be the executive’s company email address in order to instruct employees to move money to an account the fraudster can access.

These messages typically have a sense of urgency, saying something such as, ‘I’m traveling so I won’t be able to respond to email quickly, but I need you to make this transaction for me.’ They typically ask employees to send money to someone they’ve never sent money to before using a wire transfer — and the money can’t be recovered once it has been moved.

Years ago, these emails were often poorly written. But the sophistication has ramped up, making it far more difficult to identify fraudulent emails by that characteristic. They’re also including personal information about the executive obtained through social media, such as, ‘I’m on a campus visit with my daughter and need money sent to this account.’

There’s also a variation of this email involving vendors. In this case, a fraudster compromises a vendor’s email and tells an employee of a client company that the vendor company has switched banks or accounts and payments should be transferred there. That account, of course, doesn’t belong to the vendor.

What could be the consequences of falling victim to BEC fraud?

From a bank’s perspective, these appear to be valid transactions, so it’s not likely to trigger an inquiry by the bank. Companies that can recognize that they’ve been victimized quickly enough can work with their bank to get a hold placed on the funds being transferred, but that’s extremely time sensitive. Usually the money is moved as soon as it hits the fraudster’s account. If that’s happened, there’s little chance of recovering those funds.

Still, the bank’s investigation unit will engage law enforcement to find the fraudster. That, however, doesn’t help get the money lost back into the company’s accounts. Law enforcement is looking for patterns over time to identify and catch fraudsters, but that doesn’t solve the immediate problem of recovering the money that was lost.

How can companies avoid becoming a victim of BEC fraud?

This type of fraud is occurring with greater frequency and companies are taking losses. Preventing it starts at the top. CEOs should send the message down through the organization that it’s not only appropriate but imperative to question an uncommon request and to do so by phone, not in an email response to the person making the request. Instruct employees to knock on executives’ office doors or call, and be comfortable doing so. That’s the toughest part. The cultural norm is that CEOs give instructions and employees follow through with them. Adding this caveat requires a direct approach.

If the fraud is masked as a vendor, there should be a standard procedure employees use to verify the request. Again, don’t rely on email alone. Validate and verify this type of request through another channel to the vendor contact on record.

Communication within an organization is critical to preventing fraud. Anyone who can approve financial transfers within the company must be trained how to spot BEC fraud. Procedures should be in place that instruct these employees how to determine whether a request is or is not valid. In this case, a little prevention goes a long way toward combatting this increasingly common and sophisticated threat.

Insights Banking & Finance is brought to you by Huntington Bank