糖心Vlog

Business email compromise (BEC) scams target corporate email systems and exploit vulnerabilities in the wire transfer process. They鈥檙e a growing concern for accounts payables professionals, just as they start replacing paper with various forms of electronic payments in order to achieve more secure transactions. The irony鈥攐r perhaps the inevitability鈥攊s that fraudsters are also shifting their focus to the digital realm. Here鈥檚 a look into BEC scams and what AP departments can do to maintain safe payments.

How the BEC Scam Works

In short, a scammer sends an e-mail that looks like it鈥檚 coming from a trusted corporate executive to trick an employee into making an electronic payment to a fraudulent overseas account. Criminals commonly target companies that work with foreign partners or regularly make wire transfer payments鈥攁nd they鈥檙e careful to use language and transaction amounts that sound legitimate.

According to insights on , the most 鈥渟uccessful鈥� scammers employ remarkably sophisticated tactics to perpetrate their crimes. While researching a target company鈥檚 activities and personnel, for instance, they explore the company website, press releases, and social media to find out who manages money and where they do business鈥攁nd they鈥檒l go so far as to hack into the company鈥檚 IT systems to get on the inside and uncover more details. Once they identify a fraud victim within the company, they may communicate them for days or weeks over e-mail or telephone before requesting an urgent wire transfer.

Why Wire Transfers are 鈥淯rgently Requested鈥� By Scammers

In their white paper, , international risk mitigation partners, Lowers & Associates, discuss the importance of maintaining stringent controls over the payment method that typically involves global movement of large sums of money. They consider the wire transfer process, whether manual or automated, particularly susceptible to fraud. They cite inadequate pre-employment screening for employees assigned to perform wire transfer duties, weak user authentication, the use of single-person controls, and untimely reconciliation as among the reasons for process vulnerability and fraud.

For wire transfers that rely on post payment review, fraud has already occurred by the time suspicion arises鈥攁nd it can be a challenge to recover the funds. As soon as the money is transferred, the recipient can quickly withdraw or transfer it. It makes sense that wire payments are requested by these imposter executives. In fact, the Association for Financial Professionals鈥� 2016 found that after checks, wire transfers were the second most popular vehicle for payments fraud, with 48% of organizations exposed. What鈥檚 more, 64% report that their organizations were exposed to BEC in 2015.

Just how extensive is this scam? As of mid-June, as reported on , the FBI estimates that hackers have attempted to steal over $3 billion from businesses via e-mail wire transfer scams since 2013鈥攁nd have involved nearly 22,143 businesses across all 50 US states and at least 79 countries. Here are additional details:

• Most cases involved requests to transfer funds to banks in Hong Kong and China
• The FBI has seen a 1,300% increase in identified exposed losses since January 2015
• The size of losses vary widely from case to case, from about $10,000 to tens of millions of dollars.

PYMNTS.com explored this fast-growing phenomenon in April鈥檚 .

Protecting A/P from BEC Scams

Accounts payable automation solution firm Avidexchange eBook called The Scary Truth About B2B Payments sheds additional light accounts on protecting against this form of payables fraud. Aside from following common sense鈥攖hinking twice before processing an 鈥渦rgent鈥� requests and always confirming transfer details with the vendor prior to processing payment鈥攖hey recommend:

• Creating intrusion detection rules that flag suspect e-mails, such as those with .co extensions if your company uses .com
• Putting multiple people into the payments process to ensure that no one person has the ability to carry out a (fraudulent) payment
• Automating payments whenever possible to ensure strict business rules (i.e. pattern of permissions) are followed before potential fraud occurs

An option for more secure (and lower-cost) B2B payments processing is the virtual card number (VCN). VCNs are becoming a widely adopted digital alternative to wire transfer payments, especially for cross-border payments. The single-use numbers have built-in controls with respect to where and when payments can be made鈥攁nd for how much. And since they use credit card networks, no banking information needs to be exchanged between the two parties in the transaction. The sender and receiver are also freed from the complicated set-up and fees associated with the traditional wire transfer. On the back end, each transaction yields rich remittance data allowing for efficient reconciliations.

Learn how Virtual Card Numbers Fight Payments Fraud in Business Travel