If the Business Email Compromise (BEC) scam isn’t on the radar of every corporate finance executive, it certainly should be. The Federal Bureau of Investigation (FBI) recently issued a public service announcement warning that the BEC scam has now redirected $12 billion worldwide, much of that now having to be written off as a loss for corporates unable to recover the funds.
The problem is getting worse, according to the Association for Financial Professionals’ (AFP) latest Payments Fraud and Control Survey Report. The 2018 report, sponsored by JPMorgan, finds fraudsters are spinning their BEC webs even broader, targeting new channels of business transactions.
More than three quarters of companies became targets of payments fraud last year, yet another all-time high. While the continued strength of BEC scammers may not come as a surprise, the research finds that the scam no longer only reigns in targets with a request for wire transfer. Of the businesses that have been hit by a scam, 77 percent were the target of a BEC scam, the report said. While 54 percent of those scams involved wire transfers, more than a third targeted check payments.
According to the AFP, an attacker will target the payment rail that is most commonly used by the victim to pay suppliers, thus, limiting suspicions. This means that, though ACH payments have developed a reputation of greater security compared with checks, BEC scammers are also committing the scam to request fraudulent ACH transfers, too. Of respondents who said they were targeted by payments fraud last year, a combined 41 percent said the fraud involved ACH transactions, both debit and credit.
“We discovered counterfeit checks and ACH debit fraud on an account that did not have Positive Payee feature or ACH debit block because of the urgency to open account,” one survey respondent recalled.
Since the emergence of the BEC, the AFP noted that the scam has also “evolved” from fraudsters pretending to be a legitimate supplier or business partner to fraudsters infiltrating the actual email accounts of the professionals they’re attempting to impersonate. Furthermore, these fraudsters aren’t only requesting wire transfers or check payments; they’re also seeking Personally Identifiable Information (PII) or W-2 forms for employees.
Of course, BEC scams are far from the only payment fraud threats wreaking havoc on the enterprise. One survey respondent told the AFP that more than 100 commercial cards in the company’s card program “fell victim to a credit master attack.”
Payroll is another popular target for fraudsters. In another survey response, one executive said they discovered that “someone was issuing checks to individuals for work done over the internet. The checks were forged from one of our disbursement accounts.”
The AFP described the rise in payments fraud as “certainly unsettling.”
Nearly half of the businesses surveyed said any instance of fraud was discovered within a week, while more than a fifth said it took between one and two weeks. For the vast majority of firms, the cost of fraud costs only half of a percent of total revenue.
Fraud tactics continue to evolve to more sophisticated levels. However, the AFP found an increase in the percentage of executives reporting they have implemented strategies to combat fraud, including 77 percent who said they have introduced controls specifically to combat BEC scams.
“Organizations are now using measures, such as positive pay, to a much larger extent than before, after its use declined in 2016,” the AFP noted. “Organizations are also installing new internal controls to protect against BEC scams. This is a positive trend, but it is important that organizations remain vigilant in protecting themselves against fraud. Companies need to keep looking ‘outside the box.'”