Study Sees BEC Scams Gaining Ground

New year, and perhaps new fears for executives as fraudsters look to siphon off payrolls of unsuspecting firms via email scams, according to research from Agari. Other studies show that expense audits are only done sporadically, with the implication that much fraud goes unnoticed.

New year, new reason to fear fraud — especially through digital means? A pair of studies have shown that companies are increasingly being targeted through methods both sophisticated and decidedly mundane.

As reported late this week in Dark Reading, and as estimated by security research firm Agari, efforts are “ramping up” wherein criminals look to “divert payrolls” of senior executives. The funds are being siphoned off in attacks that mislead human resource (HR) professionals. Businesses are unwittingly sending the compensation, intended for those executives, to fraudulent accounts.

Agari said the payroll diversion scams are on the rise, and are gaining traction as a result of social engineering. “Unlike traditional [business email compromise (BEC)] attacks, which are starting to raise red flags with financial institutions, payroll diversion attacks eliminate the interaction with banks because it is a direct deposit instead of a wire transfer,” said Crane Hassold, senior director of threat research at the firm.

The mechanics of the fraud work this way: The criminal establishes an email account ostensibly in the name of the chief executive officer of the firm under attack. The would-be fraudster sends an email to HR, looks to have direct deposit account information changed and funds, ultimately, wind up in the scammer’s account.

Agari told the site that the payroll diversion scam has gained favor among scam artists, allowing fraudsters to have better control over the scam itself, as there is no need for outside vendors. They may also see a higher “monetary payoff,” Hassold stated. They can be scaled, and attack several companies at once.

The payroll diversion scam is taking shape as firms become more alert about BEC scams. There continues to be different permutations of the BEC popping up, according to the site — where, for example, there have been attempts through the last several weeks to induce gift card purchases, requested by those fraudsters posing as CEOs.

In the meantime, as has been previously reported, the FBI estimated that the global loss from BEC — spanning October 2013 to May 2018 — has hit 150 countries and caused firms to lose as much as $12 billion. As Hassold said, “If even 1 percent of 1,000 attacks is successful, it could generate hundreds of thousands of dollars” in monies stolen.

In another report, AppZen debuted a report titled “The State of AI in Business Spend.” Among the findings in that report: Only 10 percent of employee expenses — the ones being sent along in expense reports — are being audited.

As noted by WebProNews, the low audit rate means it is unlikely that enterprises are uncovering mistakes made in those reports, and they may be missing fraud that is occurring tied to that expense reporting.

Among the fraudulent reporting, as gleaned by AppZen as it parsed the data from hundreds of companies? There were expenses traced to strip clubs, gambling and even tattoos.

The firm said companies that leverage artificial intelligence (AI) when it comes to their expenses are able to audit 100 percent of expenses within a short period of time. In addition, such audits often find duplicate expense reporting — where an employee is paid several times for the same expense, as they are submitted on separate occasions for different amounts and with different descriptors. AI can trace locations given by employees, such as restaurants for meals, to gambling venues or strip clubs.