What is business email compromise (BEC) fraud?

Business email compromise (BEC) scams are one of the top four major cybercrime threats to US networks, targeting a range of entities from small local businesses to large corporations, and personal transactions. Security vendor Abnormal Security’s H1 2023 threat analysis showed that attacks increased by over 81 percent in 2022.

With the increasing threat of BEC fraud, more firms are looking to take additional steps to safeguard themselves and their customers. This article explores the nuances of BEC fraud, offering compliance professionals guidance and practical tips to help them mitigate this risk and improve their firm’s fraud risk management protocols.

What is business email compromise fraud?

Business email compromise (BEC) fraud is a type of cybercrime where attackers manipulate or compromise email accounts with an organization to defraud the company or its employees. These scams often involve convincing employees to transfer money to fraudulent accounts or disclosing confidential data, resulting in significant financial losses for the targeted organization. 

BEC fraud examples

BEC fraud can take various forms, including:

• Invoice fraud: Scammers send fake invoices or payment requests to a business’ finance department, posing as legitimate suppliers or vendors. The goal is to trick the company into making payments to the fraudster’s account instead of the vendor’s. 
• CEO fraud: The attacker impersonates a high-ranking executive, often the CEO or CFO, and sends emails to lower-level employees or finance departments, instructing them to make urgent wire transfers or payments to a fraudulent account. These emails appear convincing and often exploit a sense of urgency.
• Attorney impersonation: Fraudsters may impersonate lawyers or legal representatives and send emails to businesses, claiming that a sensitive legal matter requires immediate action. They might request wire transfers to settle made-up legal disputes or legal fees.
• Gift card scams: Cybercriminals may impersonate company executives and request that employees purchase gift cards and share the card codes via email. The fraudsters then use these gift cards for personal gain. 
• Vendor email compromise: Hackers access a vendor’s email account and use it to send payment change requests or fake invoices to the vendor’s customers. Unsuspecting businesses end up making payments to fraudulent accounts, thinking they are dealing with their legitimate vendor.
• Data theft: Instead of financial gain, some BEC attacks focus on stealing sensitive company data. Attackers may impersonate employees or management to request sensitive information such as customer data, intellectual property, or financial records. 

BEC fraud and real estate

According to the FBI’s 2022 Internet Crime Report, the real estate industry has become the most targeted sector for BEC scams for two consecutive years, with losses amounting to $2.7 billion. 

In March 2023, the Financial Crimes Enforcement Network (FinCEN) published a report that analyzed financial trends relating to BEC scams in the real estate sector. The report used Bank Secrecy Act (BSA) data from January 2020 to December 2021 to provide money laundering typologies that were used by BEC attackers, such as:

• The use of money mules to hide the movement of funds following a BEC attack. 
• The recruitment of unwitting money mules through social media sites and dating apps using romance scams and elder abuse.
• The convergence of multiple fraud types with BEC scams, such as identity theft, economic injury disaster loans fraud, and stimulus payment fraud
• The use of alternative payment methods that were used to convert illicit proceeds, including online payment platforms and convertible virtual currency (CVC).

According to FinCEN, title and closing entities are the most commonly impersonated BEC incidents, representing almost 40 percent of recorded attacks. Other impersonated parties included realtors (23 percent) and investors (16 percent).

A Guide to AML/CFT Reforms in the US Real Estate Sector

Learn how real estate businesses can respond to US authorities' new measures for improved corporate transparency and financial crime risk management.

Download Your Copy

How do BEC scams work?

While the strategies fraudsters use inevitably vary depending on the type of scam being attempted, there are four steps typically involved in BEC fraud:

1. Fraudsters research the business they plan to attack.
2. Phishing, credential theft, or malware infections enable fraudsters to compromise an email account.
3. Once inside the account, fraudsters can send emails that appear to come from a trusted source within the organization.
4. Attackers use psychological manipulation to make wire transfer requests seem legitimate and time-sensitive.

However, as compliance staff well know, fraudsters are constantly changing their tactics to avoid detection. To keep up with new scams and emerging typologies, many companies are now prioritizing powerful fraud detection solutions that can identify patterns in fraudulent behavior and quickly adapt to new threats.

BEC fraud red flags

As with most cyber-enabled financial scams, BEC fraud can be difficult to spot. However, being aware of the following red flag indicators can help firms stay protected:

• Last-minute changes in wire instructions or recipient account information.
• Unexplained urgency. 
• Request for complete confidentiality.
• Communications conducted solely through email and refusal to communicate via telephone or online voice and video platforms.
• Requests for advance payment of services when not previously required.
• Requests from employees to alter direct deposit information.
• Threats or unusual flattery/promises of reward.

To report BEC scams, US firms must contact the FBI’s IC3 or the nearest United States Secret Service (USSS) field office. FinCEN also reminds firms to contact the Office of Foreign Assets Control (OFAC) if there is any reason to suspect a cyber actor may be sanctioned or have a sanctions nexus. 

BEC fraud risks

BEC fraud can pose several significant risks to organizations, including:

• Financial losses.
• Reputational damage.
• Legal and regulatory consequences.
• Operational disruptions.
• Data breaches.
• Supply chain risks.
• Reduced employee morale.
• Remediation costs.
• Business continuity.

In light of these risks, the Biden administration’s Interim National Security Strategic Guidance identified the need to strengthen cybersecurity defenses against the increasing prevalence of malicious cyber activity. As part of this effort, the government has funded the “Shield’s Up” initiative, led by the Cyber Infrastructure Security Agency (CISA). The initiative focuses on three key recommendations to enhance cybersecurity preparedness:

1. Rapid detection of potential intrusions.
2. Adequate preparation to respond to any intrusion.
3. Maximum resilience to withstand a damaging cyber incident.

How to detect and prevent BEC fraud

To effectively mitigate the risk of BEC attacks, FinCEN has compiled the following guidelines for compliance staff:

• Report BEC scams and fraudulently induced wire transfers to law enforcement within 72 hours of the transaction.
• When filing a suspicious activity report (SAR) related to BEC, provide transactional and cyber-related information about the incident.
• Communicate and share information with other financial institutions (FIs).
• Assess the vulnerability of business processes and systems and consider taking action to increase resiliency.
• Adopt a multi-faceted transaction monitoring system.
• Provide training and awareness building to identify and evade spear phishing attempts.

These guidelines are designed to help compliance staff take the necessary steps to prevent, detect, and report any BEC scams or fraudulently induced wire transfers. By following these guidelines, FIs can better protect themselves and their customers from the risks associated with BEC attacks.

Mitigate BEC fraud risks with automated solutions

To address the growing threat of BEC fraud, it is crucial for firms to ensure their fraud detection solutions are capable of identifying common scenarios and predicting future risks. This can be achieved in a cost-effective and efficient manner by implementing an AI overlay to existing tools. AI overlays not only eliminate the need for a complete system overhaul but also enable organizations to customize their rule sets and prioritize the most high-risk alerts, making it easier for analysts to quickly identify and investigate actual incidents.

A risk-based approach built around customer profiles, security, and payment flows is also key to a robust fraud risk-mitigation program – alongside employee and customer awareness of red flags.