Don’t Be the Next Victim of a BEC Scam

Written By Ruth Promislow and Suzie Suliman

Businesses are increasingly defrauded through common scams known as business email compromise scams (BEC scams) for which they do not have insurance to cover the resulting losses. Fortunately, there are easy-to-implement strategies to minimize the risk of falling victim to this fraud before it’s too late.

BEC scams typically unfold in the following way:

• A fraudster compromises an email account of one of two parties involved in a commercial transaction (often through phishing, credential stuffing or malware). Through this compromise they learn about an upcoming payment due by one party to the other.
• The fraudster may use their access to the payee email account to impersonate the payee, providing fraudulent payment instructions to the payor (i.e. instructing the payor to send the payment to a different bank account).
• Alternatively, the fraudster may register a spoofed domain of the payee and send an email from that spoofed domain that looks nearly identical to the payee’s email address and provide fraudulent payment instructions to the payor.
• If the fraudster has access to the payee email account, they typically create rules in the email account to hide the email exchange containing the fraudulent instructions. This allows the fraudster time to receive the funds into their account and then remove them before the fraud is discovered.

Another common version of this scam involves the fraudster impersonating the Chief Executive Officer (CEO) or Chief Financial Officer (CFO) of a company and calling the accounting department, citing urgency with a required wire transfer. Several companies have fallen victim to this fraud, some involving deepfake audio of the CEO (including a 2024 incident where a finance employee was tricked into paying out $25 million to criminals using deepfake technology to impersonate the CFO).

According to the Internet Crime Complaint Center (IC3), a division of the Federal Bureau of Investigation, BEC scams have resulted in reported losses of over US$55 billion between 2013 to 2023 in the United States. Other sources estimate losses in the range of US$6.7 billion globally in 2023 alone. The takeaway is that this fraud is incredibly common.

The following are some tips for minimizing the risk of being defrauded through BEC scams:

• Every request for a change of account information—whether it involves a change to the contact name, number or bank account information—should be treated with suspicion.
• Any suggested urgency of the payment should be treated as a red flag.
• Implement an appropriate protocol to minimize the risk of this scam. For example, the protocol may require that:
  • any account change request must be verified by placing an outbound call to a known representative at the payee company (or to the CEO or CFO, as the case may be), using a phone number already on file for that person
  • a virtual (face-to-face) meeting is held to verify the instructions
  • a pre-determined password is verbally exchanged
  • any account change request must be signed off by the accounting employee who received the request and by their supervisor (two heads are better than one!)
  • immediately after sending the wire, you must call the company at a publicly listed number to ensure that they have received the funds to their account
• Do not let any suggested urgency by the payee (or the fraudster impersonating the payee) force you into skipping appropriate protocol.
• Train your accounting department regarding the protocol and red flags (e.g. any change request, urgent requests, any request out of the ordinary that they were not expecting). Organizations routinely fall victim to this fraud notwithstanding having an appropriate protocol in place because the accounting department is not sufficiently familiar with the required process.
• In your terms with third parties, implement a provision that any account change request that purportedly comes from you must be verified in a specified way. This can help to avoid disputes about who is to blame should the payor be duped into sending funds to the fraudster.

Lastly, if you discover you have been the victim of fraud, report it to counsel immediately as we can assist in facilitating the freezing of the fraudster account into which the funds were paid. If you have questions about cybersecurity risk management, reach out to Bennett Jones' Data Governance Protection and Cybersecurity team.

Download PDF