Email B2B fraud protection can't be left to employees

An embarrassing but persistent form of fraud to which many companies fall victim is business email compromise (BEC). Any company that initiates or settles payments via wire transfer or ACH is susceptible to BEC.

And while this fraud tactic can take several forms, BEC is usually executed using a spoofed email originating from within an organization requesting settlement; or a request that accounts payable update a billing account; or it may even originate from an executive’s hacked account, instructing that money be sent immediately to an account that the fraudster controls.

Employees are then tricked into initiating payments from a request that appears to be coming from someone within a trusted organization, falling victim to the social engineering technique. Although it’s relatively easy for unsuspecting members of an organization to fall victim to this form of fraud, the cost to an organization can be immense.

Recently, The New York Times reported that one lone fraudster was able to steal a total of $100 million from tech giants Google and Facebook using BEC tactics. BEC has been so lucrative that the FBI reports a 46% year-over-year uptick. The Association for Financial Processionals (AFP), meanwhile, reported that in 2018, 80% of surveyed businesses reported being targeted by a BEC scam— up from 77% the year prior. And, for the first time, the AFS found that a majority of businesses surveyed (54%) admitted to being financially impacted as a result of BEC.

BEC is relatively low-cost to execute, but the per-transaction gain makes it a lucrative venture for fraudsters. In addition, fraudsters have one big advantage: human error. While many companies have been proactively educating employees on email security best practices, an automated verification system is the most effective way to reduce BEC-related losses.

How can businesses better protect against BEC? Business should consider deploying checks and balances (i.e., compliance controls) at various points of the payment or disbursement process. Before a request is processed, internal tools, such as those that automate the verification of known vendor accounts against incoming requests, can proactively avoid fraud. And verifying current ownership information on accounts, in real time, prior to disbursement, can also help prevent BEC losses.

In the unfortunate event that an employee is a victim of social engineering and enticed to engage a fraudster, an implementation of yet another compliance control can help prevent unauthorized payments. These include tools that allow an institution to confirm bank account status, account ownership and, on an even more detailed level, transaction authority prior to payment or disbursement.

Another way this fraud can be detected is by utilizing an email and social identity verification solution. Fraud operators will typically create the fraudulent email days before the execution of the crime. A solution that can provide the date an email was created, along with the name assigned to an email, will better protect a company against BEC attacks. Detecting spoofed emails can be trickier and can involve examination of email header information.

Some companies believe that their employees will know the difference between legitimate versus spoofed emails. While this might be true some of the time, even one mistake can be costly. What’s more, a company looking to save money in the short run by not integrating account verification and email validations tools may incur far greater costs in the long run. BEC attacks can be damaging, especially if they go undiscovered, allowing for recurring fraudulent payments.

Unless companies start taking proactive steps to stop BEC, the number of BEC-related attacks and losses will only continue to rise. That’s bad news for all businesses.