Fraudsters have found a new twist on an old favorite — business email compromise scams. In the inaugural Preventing Financial Crimes Playbook, Jeff Taylor, senior vice president of Commercial Fraud Forensics at Regions Bank, explains how the bank is using automated technologies to stop BEC scammers who are hiding in plain sight.
Most businesses are familiar with fending off fraudsters, but said fraudsters are all too often accustomed to launching novel schemes or tweaking existing ones to skirt past their defenses.
Business email compromise (BEC) scams offer one example. Bad actors have quickly pivoted their strategies regarding these scams to bypass the prevention measures businesses have erected over the past few years, Jeff Taylor, senior vice president, head of Commercial Fraud Forensics and Payment Strategy at Birmingham, Alabama-based financial institution (FI) Regions Bank, explained in a PYMNTS interview.
BEC attacks began as schemes in which fraudsters mimicked business executives and asked for money or financial details, counting on overwhelmed or unsuspecting employees to successfully carry out their misdeeds. Bad actors have since upgraded their BEC tactics with new technologies as companies and FIs move to guard against them — making such attacks all the more insidious. This is especially evident in BEC scams that target B2B payments, as bad actors know to bank on the more manual or time-consuming processes attached to B2B transactions to boost their overall chances of success.
“So [if] you think about [a legitimate] vendor changing terms as an example, when a vendor change is made, then that may take 60 to 90 days before that actually becomes known because of the timeframe around payment, of the collection timeframe on those invoices,” Taylor explained. “So, by that time, the money, if that payment change was made [by bad actors] and the money was sent to an account controlled by the fraudster, that money is typically gone and not available for recovery.”
Fraudsters are taking advantage of this gap by sending out BEC messages with greater frequency than ever. Taylor explained that cybercriminals may send out thousands of emails and that responses from even 100 or so companies could help them land a significant amount of money. Being prepared to confront these schemes is critical to the financial health of businesses as well as their FIs, meaning companies must move quickly to block these attacks.
The Rising Risk Of BEC Attacks
Guarding against BEC scams has become only more difficult as a growing number of B2B firms move toward digital payment tools and as fraudsters switch to subtle tactics to break through existing cybersecurity measures. Taylor said many are now using a technique known as nesting to lurk inside companies’ email networks after their initial breaches, gathering information that can allow them to more closely mimic requests from legitimate vendors or company executives. Nesting can clue fraudsters in to everything from typical expressions executives use in their emails to the dollar amounts that are typically attached to payment types they are requesting, he explained.
“[Nesting] then enables them to appear more legitimate because they use the same vernacular … that is being used maybe by the person they are trying to impersonate, the vendor or the executive, the individual that they are trying to access,” he said. “And it allows them to monitor payment activity: What day of the month do you typically receive an invoice from this vendor, and when they do to pay that?”
Human employees may be suspicious if they receive emails from vendors asking to change routing numbers or other payment information after they have already received invoices. This may not be the case, however, if fraudsters are familiar with the dates by which invoices normally arrive and can make requests beforehand. Taylor noted that even automated tools may have difficulty distinguishing between legitimate emails and BEC scams in such cases.
“The [artificial intelligence (AI)] and [machine learning (ML)] — there are some really great tools that are available, but, unfortunately, because of the way the fraudsters are changing their attack vectors, it is very difficult to detect a BEC [attack using just them],” he said. “Think of it this way: The dollar amounts are likely going to be similar to what you have paid in the past, and the fraudsters know that. Really, the only thing that is changing is the routing [or] transit [or] account numbers and, unfortunately, companies do that all the time. They change their banking information all the time. So, with ML and AI, you get a number of false positives as a result of that.”
These automated technologies can certainly help businesses ward against various aspects of BEC fraud, such as weeding out messages with mismatched email addresses or other suspicious data points. Yet companies should pair their usage of such tools with a human element, which means the employees at targeted businesses still play a key role in preventing such attacks.
Fraud Education And Remote Work
A key element of businesses’ fraud protection plans entails safeguarding their online payment processes with emerging technologies that can keep up with fraudsters’ rapidly shifting tactics. Taylor also explained that businesses must cultivate a culture of employee awareness at their companies to truly protect against BEC and other popular scams that rely upon social engineering tactics. This concern is especially pressing during the pandemic, as many offices have had to adjust to remote work environments with unique security vulnerabilities.
“I think that companies in the pandemic had to adjust their equipment policies to accommodate remote work,” Taylor said. “In many cases, individuals did not have company-owned equipment that they used. They were using their personal equipment and even their personal emails to connect and conduct business, and obviously those are much more vulnerable than company emails and the platforms that a company would have that might be insulated by a [virtual private network].”
Companies are unlikely to return entirely to the business models they used before the pandemic, meaning implementing tools and fraud prevention strategies to protect payments and other business processes in a remote, digital working environment will become more and more important. Failing to do so could have lasting consequences on businesses’ financial health as they look to keep pace with their competitors and to halt fraudsters’ constantly shifting attacks.