Advisory Insights – What You Need to Know about BEC Fraud

By Steve Perkins, HoganTaylor Chief Information Officer

An assistant controller gets an email from the CEO ordering her to quickly wire $20,000 to the First Bank of Nigeria (or wherever). The assistant controller dutifully wires the requested money without giving it a second thought. Minutes later, the two pass each other in the hall:

Controller:  “Hey, I wired that money you requested.”

CEO:  “What money? What request?”

Can you imagine the dread racing through their minds as they realize they’ve just been defrauded by a simple email scheme? This scenario is happening all over the country to smart people in top organizations that think they have good internal controls.

Another scenario might go like this: The backup payroll clerk receives an email from the new CEO asking for a PDF copy of all 200+ employee W-2s, which he promptly produces from the payroll system and emails back to the CEO. He later walks over to the CEO’s office:

Payroll Clerk:  “Did you get those W-2s I sent you?”

CEO:  “What W-2s?”

At this point, there has been a loss of confidential records. Notification laws apply, there are possibly insurance claims and legal help will likely be needed to sort through the mess. A recent study sponsored by IBM set the “average cost incurred for each lost or stolen records containing confidential and sensitive information” at $158 per record.[1]

There is another tactic emerging that is even more brazen. The criminals research public speaking engagement videos of corporate leaders, learn to impersonate their voice, and then initiate their crimes by making phone calls directly to unsuspecting victims! A voice call is no longer certainty of a valid request.

These situations are examples of Business E-mail Compromise (BEC) fraud, where cybercriminals impersonate, typically by email and with ridiculous ease, corporate leaders to syphon money or valuable information from organizations. Leaders in Finance, IT and HR are often impersonated as well. The stolen information is often used for identity theft. The wired cash is quickly moved to other financial vehicles for laundering. And, in some cases, the amounts wired are not enough to raise eyebrows, so a company could potentially be hit multiple times before the crime is discovered.

BEC fraud is extremely easy to perpetrate. Why would a cyber-criminal spend days, weeks or months trying to break past the perimeter network defenses of a company to steal information when he or she can just call or email and ask someone for it? This is why BEC fraud is one of the fastest growing types of cyber fraud.

Cybercriminals craft their attacks using publicly available information from our social media feeds like Facebook, Twitter and LinkedIn. Once they know our names, email addresses, titles, corporate reporting structures, the rest is simple. For a little investigative legwork, the payoff can be enormous. Spoofing another person’s email address to make an email appear like it’s coming from someone legitimate is the easiest part of this whole scam.

According to the FBI, losses from this type of fraud from October 2013 to February 2016 totaled $2.3 billion from 17,642 victim reports.[2] That’s just what was reported! Fear of embarrassment has surely led to many losses not being reported at all, especially in smaller firms with no Board or regulatory body to report the loss to. The statistics go on to claim that the FBI “has seen a 270 percent increase in identified victims and exposed loss since January 2015”.[3]


So what can we do in our organizations to avoid such losses? The solution can be broken down into three parts: Training, Creating a Culture of Internal Controls, and Technology.


First, we as individuals must adopt a more skeptical view of any incoming request that involves monetary transactions or any sensitive or confidential information. Watch for spoofed email addresses and never react to an email simply because of the urgency in the language. Continual training for those handling finances and sensitive information is critical.

Creating a culture of internal controls

Secondly, as organizational leaders we must create a culture that empowers our people to stop and question any such request that comes across their email. The criminals know that many of our companies have unspoken rules like, “When the CEO asks you to do something, drop what you’re doing and do it”. This must change. Employ secondary fail-safe authentication methods like secret marks or codes, a quick video chat or face to face, or something else to verify authenticity.


Lastly, rely on technology as another layer of protection. Intelligent detection tools for spear phishing such as those discussed here are now on the market and showing promise. These solutions can detect and remove these attacks before they even make it to your inbox.

It’s clear that to stay ahead of the bad guys we must take advantage of all the resources at our disposal now to protect our organizations from spear phishing losses such as those described here. If we’re successful, eventually these attacks will take too much effort for the pay-off and the criminals will move on.

With growing frequency, companies are asking their service providers to give assurance about the integrity of the system controls the provider is using to protect the organization’s data and financial reporting.  As a result, network security testing through professional attack and penetration services (“pentests”) are becoming common practice.  Although providers are not required by law to disclose this information, providing evidence of adequate control objectives and activities is a must for any service provider hoping to succeed in today’s complex technology-driven marketplace.

HoganTaylor’s Advisory practice has the experience and industry knowledge necessary to provide guidance to clients from all industries that need help managing their business, developing internal controls, and streamlining information technology to increase efficiency. Our Risk Assurance practice can conduct network pentests which is a test attack on  the actual network devices such as firewalls, routers, printers, servers and workstations as well as users. In a network pentest, the objective is to break into a network and determine the amount of damage possible and identify the weaknesses found.

BEC fraud is real and every company, no matter how small, is subject to these attacks.  Begin now to create awareness inside your organization of this threat by training all employees to recognize phishing and other fraud schemes, creating a culture of strong internal controls, and using technology to stop the threat before it invades your business.

[1] Ponemon Institute LLC, 2016 Cost of Data Breach Study: Global Analysis (June 2016).

[2] Reuters. Cyber Fraudsters Reap $2.3 Billion through Email Wire-Transfer Scams (7 Apr 2016)

[3] Id.


Ponemon Institute LLC, 2016 Cost of Data Breach Study: Global Analysis, Ponemon online:

http://www.zinopy.ie/wp-content/uploads/2016/06/Ponemon-Report-2016-Cost-of-a-Data-Breach.pdf, June 2016.

Reuters, Cyber Fraudsters Reap $2.3 Billion through Email Wire-Transfer Scams, Reuters online:

http://www.reuters.com/article/us-cyber-fraud-email-idUSKCN0X505U, Finkle, Jim. April 7, 2016.