Attackers are now increasingly targeting the accounts payable (AP) department, with an attempt to establish profound connection and trust with the AP personnel before launching an attack. The scam, which involves sending emails to impersonate legitimate vendors and employees, primarily targets enterprises that conduct wire transfers to local and oversea suppliers. Business email compromise (BEC) fraud even involves paper checks in a few cases.
Statistics show that the United States ranked the first on the list with the highest number of companies affected by BEC, accounting for 37.4 percent of global BEC incidents. The attack affected 3.3 percent of Canadian businesses during the measured period. The Federal Bureau of Investigation (FBI) also discovered that the scams cost victims a total of $26 billion in losses over three years. The FBI’s Internet Crime Complaint Center reveals that there have been more than 1,200 complaints of BEC fraud in Canada between 2016 and 2019. Cybercriminals targeted more than 85 percent of companies with at least one BEC attack.
BEC fraud takes a unique approach that categorizes victims to gain legitimacy and commit an offense. Some examples of BEC forms include:
- + A CEO instructing the CFO to wire funds to an account
- + A vendor requesting AP personnel to forward payments to a different bank account
- + An executive seeking for employee tax information from HR
- + A senior employee asking to have their salaries deposited in a new account
The Increased Focus of BEC Attacks on Finance
The underlying rationale for the shift of BEC attacks from C-suite to AP departments is the increased awareness among company executives. Typically, cybersecurity reports and media cover a lot about BEC frauds targeting the CEOs, CFOs, COOs, and CIOs, which creates a high level of cognizance for the targets. Consequently, the C-suite executives can redress the situation with knowledge and understanding of the human-based cyber defense.
Regardless of the company’s size, the AP department handles all enterprise payments outside of payroll, including bills and invoices. Many companies lack a proper way of verifying if vendor invoices are legitimate – some operate without policies and procedures for such operations. Hackers leverage BEC scams to turn the tide on AP teams that deal with hundreds and, in some instances, thousands of third-parties. Threat actors are impersonating vendors and have discovered that subaltern employees can initiate the process of making large payments. Due to COVID-19 remote working measures, there is an increased risk of BEC and supplier fraud targeting B2B payments. For example, Researchers have discovered a sample BEC message that says, ‘Wire/beneficiary bank details have changed because of coronavirus.”
How BEC Occurs in AP Departments
Attackers use email exchanges to communicate with AP employees, just like the many vendors and suppliers that send quotations and invoices to the department. BEC attacks rely heavily on social engineering tricks to collect corporate email addresses of employees and executives from publicly available sources or by spoofing or stealing the contacts through keyloggers and phishing attacks. Bad actors may also infiltrate an organization’s email server to identify vendor invoices and generate similar email addresses to trick AP employees into making changes to payment procedures.
Responding to BEC Attacks in AP Departments
Eliminating BEC fraud risk requires the AP department and other parties to a financial transaction to focus on email security, financial controls, communication, and cybersecurity controls like passwords, multi-factor authentication, and encryption.
1) Awareness Training: Technological controls have limited control over BEC fraud that targets employees and business owners. Organizations can redress the attack that depends mostly on human vulnerabilities with knowledge and understanding of human cyber-defense. In effect, they should apply security awareness training to develop a culture of security in AP departments. AP employees should use phone verifications or a secondary sign-off by vendor personnel to confirm requests for payment transfers or change of supplier details.
2) Develop Adequate AP Policies and Procedures: Together with security experts, the AP teams can develop, implement, and update relevant policies and procedures for their operations and vendor approval process. State and agency regulations and standards form fundamental ingredients of the AP policies and procedures. The policies should feature clear instructions on payment and pre-payment processes that expose security lapses in organizations. AP departments should also treat requests to change payment details as potential threats.
3) Threat Intelligence Sharing: In case of a suspected BEC attack in the AP department, the person in charge should contact their bank to suspend pending payments and report the incident to authorities like the Canadian Anti-Fraud Center. Besides, victims can report fraud cases to BBB Scam Tracker that investigate and warn others about the cyber incident.
4) Cybersecurity Measures to Prevent BEC: On their part, organizations should proactively deploy adequate cybersecurity policies. The controls include data encryption, user identity and access management, password security, multi-factor authentication, secure e-signature, and other tools that enable safe ways to verify AP transactions. For instance, a supplier can add a unique identifier (key) that AP personnel uses to authenticate vendors before initiating a payment.
BEC scams remain at the top of the cybersecurity officers’ list of concerns. In a volatile Internet computing environment, companies must understand their security posture and monitor their protection levels on an ongoing basis. ISA offers expert strategic advisory consulting of cybersecurity solutions that help can help your organization stay ahead of cyber threats and incidences, such as BEC fraud. Contact ISA today for a demo.