As Aisha Kitchlew, senior manager of fraud and cybercrime at ATB, confirms, BEC scams have been common for several years already. The fact that many businesses are still so ill-prepared to protect themselves demonstrates the importance of ramping up awareness and education efforts—as well as making the internal policy changes that have proven most effective at stopping BEC scams before they damage an organization.

“Employees of business organizations are using personal devices and home network connections for work purposes, putting these organizations at a higher risk of a cyber attack,” says Kitchlew. “Some organizations may not have enough control over these devices or networks to protect themselves. Because of the human element embedded into a sophisticated scam like BEC, it can be very easy to overlook the red flags.” 

Typically, BEC perpetrators are sophisticated, organized and well-funded. Most victims do not detect the fraud attempt until it’s too late. 

Cyber criminals are zeroing in on BEC as their preferred modus operandi for a good reason: it’s extremely lucrative. Also known as a “man-in-the-middle” scheme, BEC can be perpetrated using a number of methods, which means that bad actors often have multiple avenues of executing a scam available to them.

This type of fraud attack method is made even more attractive by the fact that—ironically for a scheme that exploits technology dependence—it has low technology requirements. Furthermore,  the risk of criminal prosecution for BEC is low while success rates are very high.

While there are numerous methods a cyber criminal can use to execute a BEC scam, the end goal is always the same: to convincingly request fraudulent and unauthorized fund transfers.

Bad actors compromise official business email accounts of the targeted organization and impersonate trusted identities, such as executives or senior leadership, who have the authority to request large fund transfers. The fraudster either creates an email address that mimics the address belonging to the person of authority (a practice known as spoofing), or compromises that person’s real email inbox by gaining access to their login credentials. Fraudulent requests for funds that appear to be sent from legitimate email addresses often include an element of false urgency—for instance, claiming that the targeted executive is off-site or unable to be contacted but has requested that a transfer be executed immediately. It’s not uncommon for the impersonator to make several follow-ups, usually via email,  before any red flags are detected by the employees responsible for responding to the fraudulent request.

According to recent cybercrime statistics, BEC has resulted in losses of more than $26 billion dollars from unsuspecting victims worldwide.

Closer to home, the Canadian Anti-Fraud Centre (CAFC) reports that average losses in a BEC case are typically over $100,000 CAD. Of over forty different types of fraud methods identified by the CAFC, BEC is currently responsible for some of the largest losses being experienced by Canadian businesses.

Criminals look for organizations (of any size) that regularly send wire transfers or other external fund transfers to pay suppliers and vendors for goods and services. In most cases, these businesses have high volumes of outgoing transactions with similar characteristics, allowing fraudulent transfers or requests to seem like normal day-to-day account activity.

High-profile companies are just as susceptible to BEC scams as relatively unknown organizations are. In 2017, Fortune reported that Google and Facebook had lost a total of $100 million USD to a fraud threat group using a BEC phishing scheme. While the threat group was eventually convicted and the majority of the funds recovered and returned to their respective organizations, it’s important to note that few attacks of this scale have such a positive outcome.

While BEC fraud might seem sophisticated, it is usually very simple to execute—and thus, in theory, simple to protect against. There are several practical and cost-effective ways organizations of all sizes can reduce their exposure:

• Create a BEC policy and implement the following controls:
  • Document best practices, procedures and security measures to follow.
  • Verify any requested changes, especially to bank account or payment details. Have sign-off measures in place in the case of requested changes to payment details.
  • When verifying a request, pull contact information from an independent source (for instance, an official webpage or the company switchboard) and use a different method of contact from the request.
  • Require multiple levels of sign-off for any fund movements and ensure that appropriate segregation of duties is implemented.

• Train and educate all employees on your BEC policy and security procedures. It’s important to think of fraud prevention as everyone’s responsibility, and not solely an IT issue. Train and test those with the responsibility to make payments on red flags, so they know what to look for and can identify any scams before it’s too late. (While fraudulent emails can seem extremely convincing, it’s important to remember that no legitimate business, institution or authority will request banking information to be communicated through an email.) Create a culture of awareness so that your team members can report any incidents (real or attempted) immediately. Your financial institution is in a much better position to partner with you when they are notified immediately.

• Conduct an assessment of your IT security. Whether you hire an outside agency or conduct a risk assessment internally, it’s important to identify your technological vulnerabilities, especially of your email system. Small changes such as applying advanced filters and limiting permissions can help secure your network and block access points, reducing the likelihood of a successful BEC attack.

• Keep software and security measures current. Use Fraud Prevention Month (March) and Cybersecurity Awareness Month (October) as regular reminders to evaluate your fraud prevention programs. Visit the Association of Canadian Fraud Examiners, The Canadian Centre for Cyber Security, Chartered Professional Accountants of Canada and ATB for updates on fraud trends, and access free resources and toolkits to improve your online security and fraud prevention measures. Protect yourself from a cyber attack by taking the Association of Certified Fraud Examiners (ACFE) fraud prevention check up.

• Report incidents and keep evolving and strengthening your defenses. Recent advancements in AI-powered defense systems offer new hope in the battle against BEC fraud, and are already helping businesses stand their ground against the epidemic of attacks.

1. Contact your financial institution immediately. The sooner they are aware of the situation, the more efficiently they can support you.
   
   
2. Take action. Consider using a reputable IT firm to assist in scanning your devices to ensure any malware is identified and any infected hardware is promptly quarantined for removal. It is also very important to reset all impacted credentials and passwords, such as those for online banking and email accounts.
   
   
3. Notify. Contact the two main credit reporting agencies, Equifax and TransUnion, and provide details on the incident. Ensure that a fraud alert is placed on your credit reports for any future applications made using your identity. This will prompt the creditor to contact you at a phone number you provide before approving any additional lending or opening new accounts. You may consider placing a temporary security freeze on your credit report to stop any fraudulent activity from taking place in the immediate future.
   
   
4. Report. Consider reporting to: Your local law enforcement agency and The Canadian Anti-Fraud Centre (CAFC). Visit the CAFC website to learn about any next steps you should take.
   
   
5. Protect yourself. Ensure you have enabled two-factor authentication, especially for banking services, and have proper password hygiene protocols in place.
   
   
6. Educate yourself and your team. The best defense against a fraud incident is education; understanding and knowing what you are up against will allow you to consider what controls are best suited for your business. Consider using resources such as the Canadian Anti-Fraud Centre website, in combination with ATB’s cybersecurity toolkit on how to protect your business from cyber theft and payment fraud.

As hackers develop increasingly sophisticated tools to breach our rapidly expanding technological spaces, it’s crucial to integrate a cyber security strategy to defend your organization against a plethora of ever-evolving fraud threats. BEC isn’t the only threat to your company’s funds and information. Other types of fraud could include:

Vendor email compromise (also known as supplier phishing)

How it works: Vendor email compromise targets businesses that have well-established relationships with suppliers. The fraud actor uses a spoofed or compromised email account to impersonate the business, and requests that the supplier provide payment via wire transfer to a fraudulent account.

Phishing scams

How it works: Fraud actors call or send emails or texts to employees in an attempt to acquire sensitive information. Usually, they will try to mimic a genuine website, company, governing body or even employee in an attempt to make the target believe it’s safe to disclose the requested information. Typical phishing messages will ask the recipient to reconfirm, re-enter or input bank details (or similarly private information) in order to get a refund, pay postage on something the recipient supposedly ordered, or unlock an account. There are several different types of phishing:

• Spear phishing: Phishing scam in which fraud actors compromise email accounts in search of a specific piece of information.
• Vishing: Phishing scam done over the phone instead of email.
• SMiShing: Phishing scam perpetrated via SMS texts.

Every business is vulnerable to BEC, regardless of size, reputation or industry. While you may have gone to great lengths to protect your physical assets — have you applied the ingenuity, innovation and determination to ensure your digital information is safe? As hackers continue to evolve in their approach, business leaders are called to be savvier than ever before. Integrating the right processes, controls and tools into your operational structure is crucial in mitigating risk.