The victims of these BEC scams range from small businesses to large corporations. How are these scams pulled off? The FBI lists five scenarios on how companies are duped into wiring money to criminals:
- A business with a longstanding relationship with a supplier is requested to wire funds for invoice payment to an alternate, fraudulent account. The request may be made via telephone, fax, or email. If an email is received, the subject will spoof the email request so it appears very similar to a legitimate account and would require very close scrutiny to determine it was fraudulent. Likewise, if a fax or telephone call is received, it will closely mimic a legitimate request.
- The email accounts of high-level business executives (CFO, CTO) are compromised. The account may be spoofed or hacked. A request for a wire transfer from the compromised account is made to a second employee within the company who is normally responsible for processing these requests.
- An employee of a business has his/her personal email hacked. This personal email may be used for both personal and business communications. Requests for invoice payments to fraudster-controlled bank accounts are sent from this employee’s personal email to multiple vendors identified from this employee’s contact list. The business may not become aware of the fraudulent requests until contacted by the vendor to follow up on the status of an invoice payment.
- Fraudsters will identify themselves as lawyers or representatives of law firms and claim to be handling confidential or time-sensitive matters. This contact may be made via either phone or email. Victims may be pressured by the fraudster to act quickly or secretly in handling the transfer of funds. This type of BEC scam may occur at the end of the business day or work week and be timed to coincide with the close of business of international financial institutions.
- Fraudulent requests are sent using a business executive’s compromised email. The entity in the business organization responsible for W-2s or maintaining Personal Identifiable Information (PII), such as the HR department, bookkeeping, or auditing section, have frequently been identified as the targeted recipient of the fraudulent request for W-2 and/or PII. Some of these incidents occur prior to a fraudulent wire transfer request.
Insurance Protection Needed
Even with business protection strategies in place, such as dual confirmation of wire transfers, vendor verification, scrutiny of email requests, and others, cyber criminals are continually stepping up their game and pulling off wire frauds. To respond to this emerging risk, Wire Fraud coverage should be a part of a firm’s Crime or Cyber insurance program. Financial Guaranty Insurance Brokers (FGIB) can provide you with this coverage.
Coverage for wire fraud can be added to a Cyber insurance policy up to a certain amount, depending on the insurance carrier. Some policies offer coverage by endorsement, for example, to address losses from the transfer of funds as a result of fraudulent instructions from a person purporting to be a vendor, client or authorized employee. Some Crime insurance policies can also be endorsed to include coverage for wire fraud up to a certain limit. Again, the type and extent of coverage varies by insurance company.
Talk to the professionals at FGIB about what type of coverage is available to help safeguard your operation from this growing risk.