Identity Verification – Key to Eliminate BEC Fraud
Fraud prevention and cybersecurity are the major concerns of the companies in the digital era. Norton predicted that cybercriminals will steal an estimated 33 billion records in 2023. And misuse of such information is a common practice. Fraud comes unannounced so the businesses need to adopt a proactive approach towards such events. Fraud prevention is a continuous process. For example, if you perform KYC and AML screening before onboarding your customers and do not practice it at the time of every transaction you are leaving a loophole for a Business Email Compromise (BEC) fraud.
BEC fraud, also called CEO fraud is very common because most of the communication is online. The criminals do a lot of research before targeting an entity for BEC fraud. In this fraud, the criminals will send an email or make a call for urgent fund transfer to a company impersonating as one of their customers or merchants
BEC fraud is executed in a very friendly way. The criminals either manipulate the person with a friendly chat or by showing urgency in fulfillment of their fund transfer request.
For example, 50 years old Evaldas Rimasauskas tricked Google and Facebook to wire more than $100 million to his bank accounts.
The man researched a merchant of Facebook and Google namely, “Quanta Computer” and registered a firm with a similar name. Then he sent fake invoices and contracts to make the fraud appear more natural.
He tricked the employees of both companies into wiring money to his bank accounts in Latvia and Cyprus. Then he transferred the funds to his bank accounts in Hong Kong, Hungary, Cyprus, Slovakia, Latvia, and Lithuania to hide the money trail.
How is a BEC Fraud Executed?
A BEC fraud starts with a lot of research about entities (businesses that could be the soft targets for the fraud. The criminals collect information related to the merchants or customers of the company that has their payments pending. Once they have the information the criminals will make an email ID quite similar to that of your client’s email ID and contacts one of your employees. At times the criminals use the legitimate email ID of your customers because one of your customers might have been careless about securing their email credentials.
This fraud could also be executed the other way round. The criminals might use your email credentials to contact your merchants and clients for fund transfer of pending payments. Your clients will make the payments and you will have to bear a financial loss if your legit email credentials are used for the execution of the fraud.
The contact is mostly conducted through a casual email like asking about your last vacation or your health. Once they break the ice, they will send a friendly email regarding the change of their account details or for an urgent fund transfer.
Not suspecting anything suspicious the employees often fulfill the request, quickly due to the urgency created by the criminal.
Often the criminals send fake invoices as well with the official header or logo of one of your clients. Or they make calls impersonating as the CEO of your client company to make things look more natural.
Also, in most of the email compromise frauds, the criminals ask for a wire transfer and leverage over the confidence that companies have in security protocols practiced in wire transfer fraud.
Industries That Are Common Victims of BEC Fraud
Banks are the most common targets of BEC fraud as they are the financial intermediaries and serve a diverse clientele. Banks around the globe are struggling to retain their customers after the advent of fintech and are always in contact with their clients. Receiving wire transfer requests from customers is common for banks. When they receive any such email for urgent transfer from a credible client the employee often tries to fulfill the request at the earliest to retain happy customers.
Real estate is also a common victim. The criminals collect information regarding some ongoing real estate deals and contact the buyer as the legal representative of the seller and request a fast payment or clearance of dues.
As the deal is in the closing phase the buyer does not suspect anything suspicious and makes the transaction.
In this case, the criminals target the companies in a B2B relationship. The email ID of the CEO or legal representative of one of the companies is exploited in such cases. The criminals collect complete information regarding the previous email communication among the two companies and use it to send an email with a natural casual tone.
How to Prevent BEC Fraud?
BEC fraud has caused huge losses to many businesses of all sizes and types, even the non-profit organizations have been the victims of this fraud. FBI’s Internet Crime Report (ICR) found that BEC fraud losses rose by 90.3% in 2018 and fraud complaints rose by 14.3%.
Businesses of all types and sizes need to pay heed towards the prevention of BEC fraud. It not only cause financial loss but also affects the credibility of a company. Below are a few suggestions for preventing BEC fraud.
Identity verification of every request of wire transfer
Most of the businesses use online communication, but do not understand the significant risk lurking in the cyberspaces. Businesses need to develop and practice in-house fraud prevention measures to counter any BEC fraud attempt.
Businesses should use verification methods to screen every such request. Ask the email sender to go through a real-time identity verification process every time a customer makes such a request. The verification could be performed through face recognition or 2-factor authentication.
Online identity verification is a feasible solution as it shows quick results and does not cause any inconvenience for the end-user. Also, the visible security measures will show your commitment to the security of your merchants or customers.
Train your employees
Employees of companies are the common victims of BEC frauds. The criminals choose a soft target that is easy to manipulate for wire transfer fraud or a phishing scam.
So, the employees must be trained on a regular basis, regarding the latest trends in cybersecurity and the types of cybercrimes. This will help them to identify suspicious emails and fake fund transfer requests.
The training could be based on the following pointers:
- Do not open any emails that are way too attractive, it might be a phishing email.
- Beware of urgent payment requests from your merchants.
- Tackling the account credential change request from your customers/merchants
- Very casual and friendly email from your merchants
- Train them about the technical aspects of fraud prevention software used in your company
Report the concerned authorities
As soon as you find a BEC fraud, report it to the concerned authorities. It will protect the company from such attacks in the future. Also, it is the corporate and legal responsibility of the businesses to report such fraud attempts for the benefit of the masses.
Using email security filters help in analyzing and detecting any threats in the email messages. Also using the filters for detecting the newly registered domain names similar to your domain name helps in finding the potential risk before it could cause any harm.
Such filters help in identifying and stopping spoofing emails from reaching the mailbox of the employees.
To wrap up, BEC fraud is a planned crime and businesses need to be proactive to eliminate such frauds. Caution in sharing contact information and basic identity verification of the person making such fund transfer requests is necessary to eliminate the chances of becoming a victim of BEC fraud. In-depth verification of clients and merchants before making transactions helps in eliminating the risk at the very first stage. These minimal and easy steps might prevent a huge loss for your company.