Business Email Compromise (BEC) scams have become increasingly commonplace and financially destructive. According to the Federal Bureau of Investigation (FBI), 2019 was the worst year on record for BEC scams — both in terms of the number of attacks and the financial losses incurred because of the scams. 2020 figures to be even worse, as businesses have increasingly been victimized by attackers seeking to exploit companies whose employees are working remotely due to the COVID-19 pandemic. As the risk and harm associated with BEC scams becomes more pronounced, businesses must work to understand how the scams work, who is responsible for the financial losses, and what steps to take to prevent victimization.
Introduction to Business Email Compromise Schemes
Businesses are typically victimized by one of two variants of fraudulent BEC schemes, both of which involve spoofed or compromised electronic communications. In some BEC schemes, attackers purporting to be company executives use spoofed email addresses and direct the victim companies’ finance personnel to make large wire transfers to third-party bank accounts. In other BEC schemes, attackers impersonate the victim companies’ customers or vendors and request that the victim companies initiate changes to the customers’ or vendors’ bank account information and then make large wire transfers to the new bank accounts.
While there are different forms of BEC schemes, the basic premise is that attackers attempt to target employees with access to a company’s finances and then trick them into making wire transfers to bank accounts that are purportedly controlled by trusted business partners, but in reality are controlled by the attackers. The typical BEC scheme has a simple and effective timeline:
- The attacker identifies a target at the victim business.
- The attacker “grooms” the potential target by using social engineering techniques with the most popular being “phishing” attacks.
- The attacker attempts to convince the target to engage in an exchange of information whereby the victim is convinced that he/she is conducting a legitimate business transaction.
- The attacker prompts the victim to execute a wire transfer to a bank account controlled by the attacker.
Criminals have increasingly exploited vulnerable business processes with BEC schemes — with losses from such schemes totaling over $3 billion since 2014. Not surprisingly, reports to the FBI’s Internet Crime Complaint Center (IC3) of BEC schemes have risen significantly in the past few years. Indeed, in 2014 — the first year that IC3 began to compile statistics on BEC schemes — there were just under 1,500 BEC complaints reported to IC3, with corresponding financial losses of approximately $60.3 million. However, by 2019, those figures had grown exponentially, with approximately 23,775 BEC complaints and corresponding financial losses of approximately $1.7 billion. Companies across almost every industry sector have been targeted and victimized by these scams.
As the number and severity of BEC scams has increased, law enforcement has expended significant resources in an effort to prevent and thwart these attacks. By way of example, in 2019, the FBI created a Recovery Asset Team (RAT) to assist BEC victims in stopping fraudulent wire transfers and recovering financial losses.
Who Bears the Loss?
The threats inherent in BEC scams are compounded by the unsettled nature of the law governing loss allocation among victims of such schemes. Consider the scenario in Arrow Truck Sales, Inc. v. Top Quality Truck & Equip., Inc., Case No. 8:14-CV-2052-T-30TGW, 2015 WL 4936272, at *5 (M.D. Fla. Aug. 18, 2015). In that case, a buyer contracted to purchase a dozen trucks in a transaction conducted entirely over email, consistent with industry practice. A third party impersonating the seller provided wire information by email directing the purchaser to wire funds to an account unconnected to the actual seller. When the actual seller did not receive payment, it refused to turn over title to the trucks and instead sold the trucks to another party. The buyer sued, asserting breach of contract and negligence claims.
Prior to trial, the court asked for briefing on similar cases, but the parties and the court were unable to find cases on point. Accordingly, the court looked to case law involving forged checks as the most analogous and held that “the party who was in the best position to prevent the forgery by exercising reasonable care suffers the loss.” After finding that neither party acted negligently in handling its email account, the court concluded that the buyer should have attempted to verify the fraudulent wire instructions, which differed from past instructions from the actual seller and differed from instructions printed on the actual seller’s invoice, and therefore must bear the loss of the misdirected payment.
The court in Bile v. RREMC, LLC, Case No. 3:15CV051, 2016 WL 4487864, at *2 (E.D. Va. Aug. 24, 2016) applied similar reasoning, but reached a different result. In that case, the parties reached terms on a settlement agreement to resolve an underlying employment litigation. An imposter impersonating the plaintiff wrote to plaintiff’s attorney and requested that he send the settlement funds to the imposter’s account. Plaintiff’s counsel called plaintiff, determined that the email was fraudulent, and deleted the email. Days later, the imposter gained access to the plaintiff’s counsel’s email and wrote to defendant’s counsel, directing him to send the settlement payment to the imposter’s account. Defendant’s counsel did not verify the account information, but sent the wire to the imposter’s account. Here, despite defendant’s failure to verify the wire transfer, the court concluded that plaintiff should bear the loss because plaintiff’s counsel failed to use ordinary care when he did not inform defendant’s counsel that an imposter had “targeted” the settlement in the initial email scam.
As these cases demonstrate, loss allocation among BEC victims is fact-specific and disputes are often not amenable to dispositive motions, including summary judgment, because it is often difficult to determine fault. The adoption of BEC deterrence measures, as discussed below, can help a company in that regard not only by lowering the risk of the company falling victim to a BEC scam, but also by providing a factual basis to demonstrate that the company acted proactively and prudently to avoid fraud and therefore should not bear the loss if one of its business partners falls victim to a BEC scheme.
Steps to Take to Avoid Victimization by BEC Scams
Almost every law enforcement and regulatory authority expects that BEC perpetrators will continue to refine their methodologies and strategies in order to evade detection by victims and ensure continued financial success.
However, there are effective policies and procedures that businesses can put into place in order to minimize, or even eliminate, the risk of victimization from BEC scams. Specifically, companies should consider how they enhance their payment authorization procedures and verification requirements for vendor information changes. In addition, companies should examine their account reconciliation procedures and outgoing payment notification processes to ensure that they detect and stop payments resulting from fraud. Companies must also look to enhance their training of employees about BECs and other cyber-related threats, as well as the relevant internal policies and procedures governing issues such as payment authorization and verification.
Specifically, companies should consider taking the following actions:
- Employ Two-Factor or Multi-Factor Authentication.
- Disable older, legacy email protocols — this will greatly limit the ability of an attacker to successfully infiltrate and/or spoof a company’s email system.
- Enable appropriate system logging to ensure that, if an attack occurs, it can be tracked and the culprit and exploit can be identified in a timely manner.
- Institute email integrity policies such as Domain-Based Message Authentication Reporting and Conformance (DMARC), Domain Key Identification Mail (DKIM) and/or Sender Policy Framework (SPF).
- Scrutinize all emails, especially if an email requests payment.
- Train employees to use common sense and diligence when conducting financial transactions — especially those prompted by email.
- Verify any changes in vendor and customer payment accounts by using a secondary “sign off” by vendor or customer personnel.
- Carefully monitor vendor and customer payment habits.
Steps like those noted above are critical because once a party wires money to an account controlled by the attackers, it is very difficult to recover the funds. In addition, it is crucial to take steps to prevent BEC attacks because various federal and state law enforcement agencies and regulators have shown a willingness to investigate and bring enforcement actions against BEC “victims” that are perceived to have been negligent or reckless in failing to adequately address BEC and other cyberattack risks.
Vigilance is critical to defeat BEC attackers. However, with some basic social awareness and common sense training, many of the losses associated with these attacks can be successfully avoided.