Business payments fraud is growing and wreaking havoc not only on banks’ commercial customers, but also on the banks themselves.
One of the most frequently perpetuated fraud of this type is via business email compromise (BEC), says Chad Quarles, senior CISO advisor at Hartman Executive Advisors, an independent strategic IT and cyber advisory firm in Timonium, Md.
Quick Stat
$2.4 billion
The amount of global cyber losses in 2021
Source: FBI
A BEC attack usually begins when the threat actor gains unauthorized access to an email account belonging to a bank or one of the bank’s business partners, such as a title company, Quarles says. The threat actor will monitor the title company employee’s email until they identify a conversation discussing payment instructions and then impersonate the recipient of the payment and redirect the wire transfer to an unrelated account.
“By the time the victim realizes what’s going on,” he says, “the wire has been sent and the account has been drained.”
According to the FBI’s Internet Crime Complaint Center, BEC fraud is one of the most financially damaging internet crimes, leading to roughly $2.4 billion in global cyber losses in 2021. The FBI also reports that between July 2019 and December 2021, BEC losses surged by 65% and have cost organizations about $43 billion from June 2016 to December 2021.
Fraudsters targeting business payments
Another common type of business payments fraud is perpetrated via vendor payment change request, when an accounts payable representative receives an email or letter from a vendor providing new automated clearing house (ACH) instructions, says Jeff Olejnik, principal, cybertech practice leader in Wipfli LLP’s Minneapolis office.
“Your company [often] doesn’t realize it’s duped until the vendor starts making collection calls and they say they never sent a payment change,” he says.
According to Olejnik, other types of business payments fraud include fake wire transfer requests, W-2 scams and ransomware.
The biggest entry points for fraud are account takeover attacks, where an attacker, through a variety of means, can impersonate someone’s digital persona to steal money, says Robert Johnston, CEO and cofounder of Washington D.C.-based Adlumin, a cloud-native security operations platform provider that also offers managed detection and response services. This manifests in the forms of password theft, identity theft and social engineering.
“To minimize these threats, community banks need to ensure identity verification is implemented at every aspect of their information technology infrastructure, especially business email compromise, where an attacker is able to hijack an email account and use that email account to commit fraud,” Johnston says.
Establish a plan for fighting business payments fraud
Exacerbating the problem is the growing use of advanced technology to implement these scams, particularly those powered by artificial intelligence, which enables fraudsters to appear “more convincing than ever,” says Steven Estep, ICBA’s assistant vice president of operational risk.
“One example is deep fake audio technology, which enables fraudsters to mimic the voice of executives or other public figures,” Estep says. “With the newer chat AIs coming online, I would suspect that the emails fraudsters use will be harder than ever to detect.”
Quarles recommends that banks have documented procedures for requesting and executing fund transfers. They should be wary of urgent requests to act quickly or changes to established payment instructions and procedures.
If business payments fraud is suspected, banks should already have an incident response plan in place, he says. The playbook should include having a contact at the bank with the authority to recall a wire transfer; procedures for reporting and taking down fraudulent email domains; contacting the bank associated with the threat actor’s account to report the fraud; and reporting the incident to the FBI.
Banks should also maintain adequate cyber liability insurance that covers BEC, Quarles says.
“Sophisticated technology on behalf of scammers often isn’t the culprit when it comes to stealing data. Employees can be the weakest link if they are too trusting,” Olejnik notes, adding that an uninformed employee can be more easily manipulated. “Therefore, make sure you have trained your employees thoroughly to prepare for cybersecurity threats.”
In addition, it’s important for community banks to educate their commercial customers about business payments fraud, encouraging them to protect themselves through training and controls, Olejnik says. Banks should also encourage their customers to use advanced cash management services offered by the bank, including positive pay, and enabling advanced security controls like multifactor authentication and payment notifications.
“Community banks can differentiate themselves by taking a leadership role with their clients and in their communities to heighten awareness of good cybersecurity practices,” he says.
Fraud can start on social media
When trying to minimize opportunities for business payments fraud, community banks should educate both their employees and commercial customers to think very carefully about what they post on social media, says Steven Estep, ICBA’s assistant vice president of operational risk.
“Education for both consumers and employees is key to catching and stopping fraud,” he says.
Estep recommends these best practices to minimize threats:
Only post about travel, including conferences you’re attending, after you have returned.
Be sure you really know the person you are connecting with on LinkedIn or other social media.
Verify any request for funds or change in payment method via a trusted and confirmed communications channel.