PYMNTS-MonitorEdge-May-2024

Why Business Email Compromise Scams Target Valuable B2B Relationships

Email remains a cornerstone of communication, especially within business-to-business (B2B) relationships. This reliance on email, however, has also made it a prime target for savvy cybercriminals.

And with the news that Luxembourg-based chemicals and manufacturing giant Orion SA lost around $60 million after being targeted by a presumed criminal business email compromise (BEC) fraud campaign, fostering a culture of cybersecurity awareness and implementing robust verification protocols is top of mind for prevention-focused B2B buyers and suppliers.

As seen with the Orion incident, sophisticated BEC attacks exploit the trust and legitimacy that email communication carries within business relationships, leading to significant financial and reputational damage.

In a form 8-K filed with the U.S. Securities and Exchange Commission (SEC) Aug. 10, Orion’s CFO Jeffrey Glajch shared that “a Company employee … was the target of a criminal scheme that resulted in multiple fraudulently induced outbound wire transfers to accounts controlled by unknown third parties.”

“The Company expects to record a one-time pre-tax charge of approximately $60 million for the unrecovered fraudulent wire transfers. … The Company’s investigation into the incident and its impacts on the Company, including its internal controls, remains ongoing. The business and operations were not affected,” the filing added. 

Unlike other forms of cyberattacks, BEC scams do not rely on malware or phishing links; instead, they exploit the human element by preying on the trust that exists in established business relationships. They are particularly effective in the B2B context due to the high-transaction value, complex communication chains, and global reach, as well as other factors including time sensitivity.

Read moreCriminals Target Big Ticket Transactions in Commercial Banking Fraud Surge

All Roads Lead Back to the Invoice

BEC attacks typically begin with the cybercriminal gaining access to an email account within a company, often through phishing or social engineering tactics.

Once inside, the attacker carefully monitors the email traffic to understand the organization’s internal processes, communication patterns and key personnel. This reconnaissance phase can last weeks or even months, allowing the attacker to gather the necessary information to craft a convincing fraudulent email.

The final step involves the attacker sending a carefully crafted email, often appearing to come from a senior executive or trusted business partner, instructing the recipient to transfer funds to a specific account or provide sensitive information. The email is designed to appear urgent and legitimate, leveraging the existing trust between the two parties to bypass normal security checks.

A single successful BEC attack can yield millions of dollars in ill-gotten gains, far outweighing the returns from targeting individual consumers — one-third of the funds lost to cybercrime stem from BEC attacks.

“Fraudsters … are adept at hacking email servers and manipulating employees into granting them access. Once they are in, they can easily mislead accounts payable (AP) and accounts receivable (AR) staff. To put it in simple terms: Today, it’s just too easy to target corporate payments. Therefore, organizations must protect all payment types using technology-driven validation of payee and account details while making sure all payment-related data and files are protected in a way that they cannot be tampered with,” nsKnox COO Nithai Barzam explained to PYMNTS in an interview.

Read more: Cybercriminals Are Invading Corporate Inboxes: What Small Businesses Can Do

As cybercriminals continue to refine their tactics, it is essential for companies to remain vigilant and proactive in their defense strategies, not the least of which starts by socializing a culture of agility and awareness.

The first step in battling incoming payments fraud “is to realize that it’s not just some abstract threat. It can happen to any company,” Ansys Corporate Controller Bob Bonacci told PYMNTS.

And many of the risk management leaders PYMNTS has spoken to have emphasized that the first line of defense is an organization’s own employees, making individual education around attack tactics, and the best practice methods to combat them, more important than ever.

Regular training sessions can help employees recognize the signs of a BEC scam, such as unexpected changes in communication style or unusual requests for fund transfers. Employees should be encouraged to verify the legitimacy of any email that appears suspicious, even if it comes from a known contact.

Continuous monitoring of email accounts for unusual activity, such as login attempts from unfamiliar locations or unexpected changes in communication patterns, can also help detect a BEC scam in its early stages.

PYMNTS-MonitorEdge-May-2024