We’ve all heard about BEC, and many of us have seen it impact our financial institutions first hand. Business Email Compromise (BEC), also known as “whaling” or “CEO Fraud”, is a form of spear phishing that is the source of billions of dollars of fraud to date. It involves fraudsters impersonating executive management in an organization either by taking control of their email account, or by creating a fake account on a free webmail service (such as gmail or yahoo). The impersonated emails then typically make requests to internal employees to send out sensitive data or to wire large sums of money.
And though BEC can affect banks and credit unions directly, the purpose of this post is to ask the question: How do we help our customers avoid a scheme of this nature?
It’s an important one to answer because of the reputational and financial implications when a situation like this arises. Community banks are often left holding the bag when BEC results in wire fraud, regardless of who's actually to blame. And because of the push to make wires easier for business customers, this is becoming a more frequent occurrence.
To avoid this, many banks have verification procedures for wire requests from cash management portals and conventional wire transfer channels (including OOB, MFA, and Dual Control), but that model relies on the trust factor that the person initiating the wire is correct.
While you could easily make the argument that the typical controls in place are “good enough” and that the customer has to be responsible for their own actions, this approach leaves the door open to some finger pointing if your customer does fall victim to a BEC attack (right or wrong).
I believe to stop BEC we have to take things a step further. Evolving the current level of awareness training for business customers is what will be most effective in combating BEC.
Here are some ideas for doing just that:
- Be sure you talk to your cash management (and other business customers) and make them aware of BEC and that email cannot be trusted by itself for something like a wire transfer request.
- Help your business customers establish a culture of verification. This has to come from executive leadership and should set the tone that it is ok to delay a transaction or request if the user feels that something “just isn’t right”. It also means that leadership is approachable and helpful when a situation in question does arise.
- Suggest that your business customers’ finance departments operate like your wire bank’s transfer department for all electronic monetary transactions. Encourage them to verify ALL internal and external requests for sensitive information or monetary transactions in an out-of-band channel of communication (i.e. phone call, text msg, face-to-face).
- Review your cash management contracts with your customers: Explain where the handoff of responsibility is and explain why control requirements are in place.
- Consider including a question in the wire request or call-back verification process that asks your business customers, “Have you verbally verified this transaction with the requestor?”