Business email compromise (BEC) scams have become a top concern for organizations engaged in B2B transactions, as they target financial assets and sensitive information. According to the 2023 AFP Payments Fraud and Control report, 71% of organizations were targets of such scams in 2022.
In a recent PaymentsJournal podcast, Elly Aiala, Chief Compliance Officer at Boost Payment Solutions, and Albert Bodine, Director of Commercial and Enterprise Payments at Javelin Strategy & Research, delved into the intricate web of BEC scams, their evolving techniques, and the urgent need for proactive measures to safeguard the integrity of B2B operations.
B2B Companies Face Security Threats
In business email compromising fraud, cybercriminals send highly targeted and convincing emails to individuals within an organization as part of phishing attacks, often posing as trusted colleagues or partners. The emails may reference recent company events, projects, or even internal jargon, making them appear genuine.
B2B payments firms are prime targets for BEC scams because of their involvement in financial transactions. The improved sophistication of AI-generated content makes it easier for fraudsters to craft convincing emails with payment requests, invoices, or fund transfer instructions that appear legitimate. B2B payments firms may unwittingly process these fraudulent transactions, leading to significant financial losses.
“From my research, I expect an ongoing increase in B2B payments fraud over the next few years,” Bodine said. “I’ve noticed significant spikes in areas like occupational fraud, particularly related to business email compromise. Everybody really needs to be on high alert about those AI tools that are out there right now.”
Dealing with the aftermath of a successful BEC scam can also cause significant operational disruption for B2B payments firms. Funds may need to be recovered, investigations conducted, and security protocols enhanced. This can divert resources and time away from core business activities.
BEC Scams Shoot for Larger Businesses
According to the AFP report, larger organizations were more affected by BEC fraud, with 82% of them reporting incidents, compared with 62% of smaller organizations.
“My theory is that bad actors have pivoted to focus their efforts on larger organizations with more funds to potentially exploit as the risk-to-return ratio is better for them,” Aiala said. “In addition, the larger the organization, the greater the potential to find process deficiencies to capitalize on.”
Another risk factor is that large companies might harbor disconnects with the company mission, leading to complacency and a neglect of detail when it comes to security protocols
“If the operators of these business-as-usual activities become desensitized to their daily processes and complacent in what they’re doing, a potential bad actor may have more success infiltrating that desensitization than at a smaller company where those employees may feel a greater impact or direct impact of their daily activities,” Aiala said.
“We cannot completely categorize or generalize here. Some large firms have the most sophisticated internally transparent processes, particularly when compared to say a smaller mom-and-pop shop.”
In smaller companies, employees often have a broader understanding of their tasks and responsibilities, as they are involved in various aspects of the business process from start to finish. This end-to-end visibility allows them to recognize when something doesn’t seem right, even in seemingly routine situations like receiving an email from a vendor that requests changes to account information.
On the other hand, in larger organizations, employees tend to have more specialized roles and may be focused on handling large volumes of specific tasks. This leads to a narrower perspective, where employees might not have the same holistic view of the entire process. Consequently, they may be less likely to notice anomalies or potential security threats, such as a seemingly harmless email that could be a phishing attempt.
“One thing we all need to keep in mind is that strata layers and complexity work to the benefit of bad actors,” Bodine said. “Very often, at the largest organizations in the world, the pot of gold is much bigger. So naturally, that’s where the bad actors want to go.”
BEC Fraud’s Growing Prominence
One common form of BEC fraud is email spoofing, with 73% of organizations having experienced it, according to the AFP report. Aiala offered a hypothetical scenario.
“Your point of contact at ABC company may be Greg at ABCcompany.com,” Aiala said. “A bad actor could send you a request that’s been copied from the ABC Company standard communication, but the email comes from Greg at ABCompany.com, missing a ‘C.’ The difference is slight and requires great attention to detail from your employees.
“Organizations can buy lookalike email addresses to prevent those bad actors from doing it before them. It’s not a perfect control, but it’s one that can boost your security and anti-fraud efforts.”
Domain spoofing is another popular tactic, which leads to web traffic diversion and malware downloads. Organizations can combat this in a similar way, by buying lookalike domains.
Another method involves compromising an actual email account within a company and using it to send fake payment instructions to potential victims. What makes this scam particularly tricky is that the emails appear genuine because they come from a legitimate corporate email account, making it challenging for recipients to identify the fraud.
Bad actors often swoop in when employees have their guards down. This could happen when an employee is away on vacation or even too busy to notice something off, such as preparing to launch a new product. Times of global distress, such as a natural disaster, are also opportune for fraudsters.
“A region experiencing extreme weather may opt for a rescue fund via the Red Cross,” Aiala said. “Bad actors could identify this as an opportunity, create a spoofed website that mimics Red Cross’s donation page, and pocket the money that comes in.”
Preventive Measures
Aside from buying lookalike email addresses and domain names, companies can take other core steps to prevent BEC fraud. Among them:
- Enable two-factor authentication: Ensure that both your corporate and personal accounts have it enabled. Regularly check to confirm that employees still have it activated on their accounts, as it might have been turned off for various reasons.
- Employee training in scanning emails: Train employees to scrutinize sender email addresses, question unexpected emails, and consider whether they expected communication from the sender. If the email asks for specific actions, including clicking a link, err on the side of caution.
- Don’t overshare: Be cautious about what you share online. Scammers often personalize messages to make them seem more trustworthy, based on publicly available information about their targets.
- Find the Right Partner: Partnering with a B2B platform with strong anti-fraud security and a focus on straight-through processing (STP) can bring several benefits. STP automates financial transactions by seamlessly sharing data across multiple points, speeding up transaction processing and reducing repetitive payment-related tasks. By removing human factors, it can make the system less prone to BEC fraud as well.
Conclusion
BEC scams have become a menace to B2B payments operations, especially with rise of generative AI. Larger organizations in particular are increasingly susceptible to BEC fraud due their complex structures and siloed departments.
To counter this growing threat, companies should focus on measures like two-factor authentication, employee training, cautious online behavior, and partnering with B2B platforms that prioritize anti-fraud security and streamlined processing.
Preventing fraud is crucial because it safeguards finances, operations, reputation, legal compliance, and employee morale. It’s a worthwhile investment in long-term success. And as shown in this article, it is doable, with the right steps.
