ACFE releases Anti-Fraud Technology Benchmarking Report
With the advancement of technology over the years, the avenues for fraud perpetration, protection and detection have multiplied. In an effort to gain a ...
The Rise of Business Email Compromise Scams
Business Email Compromise – or BEC – is an increasingly common scam targeting U.S. and European companies that is often carried out by criminal organizations. In most cases, attackers from these organizations target employees who have access to company finances or W-2 information with the intention of tricking them into transferring money or sending data records. The deceptive techniques used to target and exploit victims vary from spear phishing and social engineering to email spoofing and computer intrusion techniques (malware).
The FBI 2017 Internet Crime report highlights growing trends in cybercrime that were seen last year. BEC – or “CEO Fraud” – led the pack in 2018, topping $676 million in victim losses. Since 2015, there’s been a staggering 1,300% growth in losses as a result in the spike in these frauds, now totaling over $3.0 billion in the past three years alone. BEC is a serious threat on a global scale that’s expected to continue to rise with the increased reliance on business email.
Anatomy of the Scam
A BEC scam can take on various forms. One common scheme, called CEO impersonation, attempts to persuade a target into wiring money for apparent business purposes. This scheme usually begins with the attacker compromising the CEO of the target company’s email account through a phishing or malware attack. After spending some time monitoring email communications to carefully understand the company’s vendor relationships as well as the CEO’s interests, email communication style and travel plans, the target is then chosen.
Employees from Finance or Accounts Payable – or even the Controller – are often primary scam targets. At the appropriate time, the attacker sends a phony email to the selected target from either the CEO’s inbox or a lookalike domain name (which is usually one or two letters off from the company’s true domain name). The email typically requests an immediate wire transfer to the attacker’s account, whose account number has been modified and disguised as that of a trusted vendor. Unless the scheme is detected in a timely manner, any transferred money is often difficult to recover.
Don’t Fall Victim
Schneider Downs recommends any number of the following procedures to help your organization develop its own effective defensive strategy against BEC and other email cyberattacks:
The general rule under Internal Revenue Code §451 is that an item of income shall be included in gross income for the taxable year or receipt unless ...
One PPG Place, Suite 1700
Pittsburgh, PA 15222
65 East State Street, Suite 2000
Columbus, OH 43215
1660 International Drive, Suite 600
McLean, VA 22102