CEO fraud or business email compromise (BEC)

Don't let attackers add you to a growing list of victims.

Billions defrauded by organized crime

Business e-mail compromise (BEC) is a sophisticated type of wire fraud that can take a variety of forms. In one variant, called CEO fraud, organized crime groups impersonate an official or executive of an organization with the intent of deceiving employees in financial positions to initiate an urgent wire transfer of funds. By searching for public information on the organizational structure of their intended victim, using social engineering, and penetrating the internal IT network of their target, they gather information on employee relationships and identify security procedures. Seeking specific opportunities, such as a business trip by the CEO, they spoof email accounts enabling them to pass themselves off as the traveling CEO, requesting an urgent wire transfer to finalize a deal with a new supplier. The relatively high rate of success coupled with the low risks (to the perpetrator) associated with this type of fraud has led to an explosive growth in organized criminal groups trying their hand at pulling off this type of scam.

the BEC scam continues to grow, evolve, and target businesses of all sizes. Since January 2015, there has been a 1,300 percent increase in identified exposed losses, now totaling over $3 billion.

IC3, the FBI’s Internet Crime Complaint Center 1

Can you be a target?

The criminal groups who employ deceptive fraud transfer scams target large and small organizations all over the world. Non-profits, well-known corporations, public organizations, and local businesses are all potential targets. As the list below demonstrates, even multinational corporations with dedicated security teams have been victimized, since this type of fraud does not rely on finding a technical breach to enable attackers to initiate fraudulent wire transfers themselves. The fraud is based on deceiving people from within the victimized organization to initiate the transfer, believing it to be a legitimate request.

Corporate victims Business e-mail compromise (BEC) fraud

Company Amount Defrauded
Facebook and Google over $100 million
Ubiquiti $46.7 million
Scoular $17.2 million
KPMG €7.6 million
Mattel $3 million

Small businesses are affected too
Smaller companies face similar threats too. In fact, some smaller businesses would not survive if they where to fall victim to this scam. Believing that ‘It won’t happen to us’ is unwise, no matter the size of your organization. A large corporation has the resources to bring in specialized firms to perform security reviews and forensic audits, write off the loss, then turn around and file a claim with their insurer. Unfortunately, by the time a small business figures out it was the victim of a deceptive fraud transfer scam, it may be too late. The funds it lost will probably never be recovered, putting the small business in a very difficult financial position in a relatively short lapse of time.

the average loss per scam is between $25,000 and $75,000.

IC3, the FBI’s Internet Crime Complaint Center 2

The criminal groups behind these scams

The criminal groups that engage in business e-mail compromise scams can be extremely sophisticated. These transnational criminal groups can employ lawyers, linguists, hackers, and social engineers. Some even have accomplices inside financial institutions to help them quickly transfer out the proceeds before they are frozen and returned to the victims. They employ various methods to launder the proceeds, ensuring the funds will be difficult to recover. They are continually honing their techniques to exploit unsuspecting victims, while staying one step ahead of the authorities.

Technology used to deceive victims
Business e-mail compromise scams can take a variety of forms. In just about every case, the scammers target employees with access to company finances. In it’s common forms, such as CEO fraud, the modern techniques used to pull off the deception often include online ploys such as spear-phishing, social engineering, identity theft, e-mail spoofing, and the use of malware. In some cases, the criminals will use malware to monitor communications and intercept warnings or messages from the victim’s commercial partners or financial institutions immediately after the fraudulent wire transfer is initiated. This gives the criminals enough time to transfer out the proceeds of the crime and begin the processes of laundering their gains, leaving little chance to recover the funds.

General steps to avoid being a victim

As sophisticated as CEO fraud is, there is an easy solution to thwart it: face-to-face or voice-to-voice communications.

The best way to avoid being exploited is to verify the authenticity of requests to send money by walking into the CEO’s office or speaking to him or her directly on the phone. Don’t rely on e-mail alone.

Martin Licciardo, special agent, FBI Washington Field Office 1

Speaking to the person requesting the wire transfer and verifying their identity should always be a priority. Asking employees not to rely on phone numbers presented in the email of the request is also good practice. The employee who receives an urgent request should seek assistance from coworkers to verify it is legitimate. The more people look into exceptional requests, the higher the probability a scam can be uncovered before it is too late. Systems and procedures can be adapted to help employees identify high risk situations and enable them to spot any unusual request. Combining employee awareness with technology to flag suspicious activity will go a long way towards protecting an organization against fraud.

As is the case with other types of malicious attacks, multiple layers of security are recommended as part of an effective fraud-prevention program:

  • Identify risk — Identify high-risk employees
  • Define security and privacy policies — Define financial security objectives
  • Customize security training and awareness programs — Train employees to be aware of red flags
  • Keep information systems current and up to date — Reduce vulnerabilities that expose employees to scams
  • Install preventive controls — Detect and prevent scams
  • Maintain comprehensive logs and audit trails — Log all suspicious activity
  • Evaluate cyber liability insurance — Protection against losses due to fraud

The key is to train staff to recognize suspicious emails and other communications, and to provide them with clear procedures when dealing with funds transfers in particular.

If you or your company have been victimized by a business e-mail compromise scam, it’s important to act quickly. Contact your financial institution immediately and request that they contact the financial institution where the fraudulent transfer was sent. Next, call the proper local authorities, and file a complaint.

If you’d like more information on how to protect your organization against fraud, get in touch. Contact us

1: IC3: Cyber-Enabled Financial Fraud on the Rise Globally.

2: FBI: FBI Warns of Dramatic Increase in Business E-Mail Scams Globally.