Business Email Compromise (BEC) scams, also known as “whaling’ or “CEO fraud,” involve crafted emails sent to recipients by fraudsters pretending to be senior executives. These emails leverage social engineering and urgent requests to get employees to carry out large wire transfers or send over sensitive information such as W2 forms.
Knowledge is power, so your best protection is to know precisely how cybercriminals will come after you. BEC's can be broken down into five basic scenarios. They are:
- Bogus Invoice Scheme
- Executive Fraud
- Email Account Compromise
- Attorney Impersonation
- Data Theft
Scenario 1: Bogus Invoice Scheme
This version, also been referred to as “The Bogus Invoice Scheme,” “The Supplier Swindle,” and “Invoice Modification Scheme,” usually involves a business that has an established relationship with a vendor. The fraudster asks to wire funds for invoice payment to an alternate, fraudulent account via spoofed email, telephone, or facsimile.
Scenario 2: Executive Fraud
In this version, the fraudsters identify themselves as high-level executives (CFO, CEO, CTO, etc.), lawyers, or other types of legal representatives and purport to be handling confidential or time-sensitive matters and initiate a wire transfer to an account they control. In some cases, the fraudulent request for wire transfer is sent directly to the financial institution with instructions to send funds to a bank urgently. This scam is also known as “CEO Fraud,” “Business Executive Scam,” “Masquerading,” and “Financial Industry Wire Frauds.”
Scenario 3: Email Account Compromise
Similar to the two other versions, an email account of an employee is hacked and then used to make requests for invoice payments to fraudster-controlled bank accounts. Messages are then sent to multiple vendors identified from the employee’s contact list. The business may not become aware of the scheme until their vendors' follow-up to check for the status of the invoice payment.
Scenario 4: Attorney Impersonation
In this version, the cybercriminal contacts either the employees or the CEO of the company and identify themselves as lawyers or representative of law firms, claiming to be handling confidential and time-sensitive matters. This contact, typically made via phone or e-mail, pressures the contacted party into acting quickly or secretly in dealing with the transfer of funds. This type of BEC scheme may be timed to occur at the end of the business day or work week when employees are getting ready to rest and thus vulnerable to panic.
Scenario 5: Data Theft
This scheme involves the email compromise of role-specific employees (usually human resources) in the company being used to send requests – not for fund transfers but personally-identifiable information of other staff and executives. This scam can, therefore, serve as a jump-off point for more damaging BEC attacks against the company itself.
Wire fraud is a significant and growing problem for businesses. According to the FBI’s Internet Crime Complaint Center (IC3), Business Email Compromise (BEC) schemes have grown at a jaw-dropping rate of 2,370% since 2015. With more than 40,000 domestic and international incidents, these types of scams have cost more than a staggering $5.3 billion in actual and attempted losses.
Whether you use WestStar Bank’s wire transfers or visit a branch to initiate wire transfers, the best defense against wire fraud is for your business to have rock-solid procedures, backed up with education and awareness for team members, so they recognize the signs of suspicious activity within your company.