BEC Fraud: How to Protect Your Business From a Growing Threat
Business email compromise (BEC) has emerged as one of the most financially damaging online crimes. According to the FBI’s Internet Crime Complaint Center (IC3), organizations lost nearly $56 billion across approximately 305,000 incidents between October 2013 and December 2023. Increasingly, gift cards are playing a key role in BEC scams.
Understanding how these schemes work can help prevent them from harming your business.
Role of gift cards
To steal from companies, BEC perpetrators use social engineering and computer intrusion techniques. Their goal is to trick email users into transferring funds to them. Although several BEC variations are active, cybercriminals usually impersonate senior executives and target lower-level employees by asking workers to fulfill what might seem like routine requests. These include sending money via wire or writing a check.
In recent years, gift cards have assumed a prominent role in these scams. Unlike wire transfers, for which most companies and financial institutions have extensive security protocols, gift card transactions generally encounter little scrutiny. Gift cards, after all, are designed to be easy to buy and use.
Common schemes
In a typical BEC scheme, an employee might receive an email from the company’s “CEO” instructing the worker to purchase gift cards for a vendor and to mail them the same day. The fraud perpetrator typically promises to reimburse the employee who buys the gift cards. To ensure a scheme isn’t detected quickly enough, con artists may ask employees to expedite shipment of gift cards via a delivery service.
Fraudsters, posing as executives, perpetrate a similar scheme by asking employees to email them information for each gift card purchased — including security codes if they’re printed on the cards — or to send photographs of the front and back of each card. The thief promises to personally email the vendor or other intended recipient with the card information.
Of course, digital gift cards can be redeemed by crooks even faster than physical cards. So a perpetrator might tell a worker to buy cards online and email card numbers, personal identification numbers and security codes. Then the perpetrator quickly accesses and drains the funds.
Use of AI
Unfortunately, artificial intelligence (AI) has increased the sophistication of some BEC attacks. AI tools may allow fraudsters to effectively impersonate executives by:
- Accessing their actual communications, such as emails, blog posts, letters to employees and interviews,
- Analyzing their speech patterns, and
- Replicating their behavior and business practices.
An employee in a BEC scam might receive AI-generated emails that imitate a CEO’s writing style and are difficult to detect as fake. Add the pressure to respond quickly and the often relatively small dollar amounts involved, and it’s easy to see why gift card scams often succeed.
Simple steps worth taking
You can fight back against even sophisticated schemes with fraud prevention training. Employees should be aware of BEC red flags, such as emails that suggest urgency, call for secrecy, request unusual payment methods, and feature altered email addresses and misspellings. Any time employees receive financial requests via email, they should be required to verify them with the sender by phone or in person. And they should know when and who to notify if they think they’ve received a fraudulent email.
Your business also should use technical tools to verify the authenticity of incoming emails. Engage an experienced security professional to assess your IT environment and recommend solutions for filtering out illegitimate emails. And keep cybersecurity software current. Installing updates as soon as they become available helps ensure your defenses include the latest tools and intelligence.
Both risks
BEC schemes exploit both technological weaknesses and human foibles. Make sure you’re addressing both risks. Contact us for help evaluating your internal controls.
© 2024