by Avi Gesser, Clara Y. Kim, and Thomas Harris-Warrick (The Crypsis Group)
We first wrote about Business Email Compromise (“BEC”) scams in 2015. Over the last four years, these attacks have continued unabated. According to the FBI (PDF: 1.77 MB), in just the last year alone, there were over 20,000 reported BEC scams, with adjusted losses of over $1.2 billion. One reason this threat persists is that cybercriminals have used increasingly sophisticated methods to trick companies into wiring money to them instead of the legitimate payee.
Indeed, in a twist on traditional BEC scams, a fraudster recently used an AI-based software to mimic the voice of a CEO on the phone, successfully tricking another executive into sending money to a supplier. The AI was sophisticated enough that it was able to recreate the slight German accent of the CEO such that the executive thought he recognized his CEO’s voice. With the rise of AI and deepfakes, BEC scams may get harder to detect, so it is worth revisiting the measures companies should consider employing to reduce those risks.
Traditional BEC Scams
BEC scams generally refer to email, voicemail, or live phone call scams that are designed to convince company employees who are responsible for executing financial transactions to wire funds to accounts that are controlled by the perpetrators of the scam.
Two common forms of BEC scams are as follows:
- The Business Executive Scheme: The email account of a high-level executive within a company (usually the CEO or CFO) is exploited, either through spoofing or hacking. A fake email is then sent by the perpetrators of the scam to the company’s controller (or other employee who normally handles wire transfers for the company). That email, which looks like it is coming from the executive’s email account, asks the controller to wire a significant amount of money to a bank account. Usually, the fraudulent email asks that the wire be executed on an urgent basis to facilitate a transaction and to keep the request strictly confidential because the transaction is not yet public.
- Bogus Invoice Scheme: The email account of a supplier with which the company has a long-standing relationship is spoofed or hacked, and is then used to make fraudulent payment requests.
Other BEC scams involve fake calls or emails from senior executives changing their bank accounts for the direct deposit of their compensation. But not all BEC scams involve the wiring of money. Another common BEC scam involves fraudsters pretending to be senior executives asking for the purchase of gift cards, usually under the guise of needing them as gifts for clients. HR personnel at companies may also be targeted, with fraudsters asking for personal information of employees, such as tax forms, to use in future attacks.
Increasingly, successful BEC scams involve the perpetrators doing research on the target business and its personnel, either by hacking the organization’s email system or by exploring all available public sources about the business and the employees who are relevant to the intended scam.
How to Avoid BEC Scams
The traditional advice on how to avoid BEC scams involves implementing a policy requiring a verifying phone call or in-person contact with the company officer who is purportedly making the wire transfer request before anyone can execute a significant financial transaction or a change in wiring instructions.
With the rise of deepfakes that can mimic the voice of senior executives, voice verification may not be enough. Policies must also require that the voice verification come from a phone number that can be independently associated with the person providing the verification. Recognizing that phone numbers can also be spoofed, some companies are not relying on an inbound call for verification. Instead, they are requiring the verification process include initiating (rather than receiving) a call to a recognized number, such as a senior executive’s desk or known cell phone number. In addition, companies that rely heavily on voice authentication may consider instituting a verbal keyword, never previously relayed through email, that must be provided to validate that the authorizing person is truly who they claim to be.
Training for employees who make wire transfers should cover BEC scams as well as the possibility of deepfake audio. Employees should be trained to pause before wiring large sums of money to new accounts, even if—and perhaps especially if—the directions are coming on an urgent basis from a senior executive.
Having an established law enforcement contact can also help by allowing companies to respond to fraudulent transfers more quickly once they are discovered. Companies should also determine whether insurance would provide coverage for BEC scams, and if not, whether obtaining coverage should be considered.
Finally, companies should monitor www.ic3.gov for updates on new variations of the BEC scam and other internet crimes, and educate company leadership and employees on recommended best practices.
Of course, each company must implement cybersecurity measures that are appropriate for its own risks, and what is reasonable will depend on factors like the size of the company, the kind of data it has, and the threats it faces. The Davis Polk Cyber Portal is available for clients to meet their evolving cybersecurity and privacy obligations, and we will continue to monitor the evolving threat of BEC scams closely here at the Davis Polk Cyber Blog.
Avi Gesser is a partner and Clara Y. Kim is an associate at Davis Polk & Wardwell LLP. Thomas Harris-Warrick is a Principal Consultant at The Crypsis Group.
Disclaimer
The views, opinions and positions expressed within all posts are those of the author alone and do not represent those of the Program on Corporate Compliance and Enforcement (PCCE) or of New York University School of Law. PCCE makes no representations as to the accuracy, completeness and validity of any statements made on this site and will not be liable for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with the author.