During this stressful period, more fraud schemes are taking advantage of the news headlines to prey on natural human anxieties.

If your business has not experienced payment fraud, you are in a small minority. Recent AFP research disclosed that 88% of companies interviewed were targets of cyber fraud in 2019.[1] I hope that this article will help every one of you to recognize some of the more common and dangerous attempts and know what to do and what not to do.

Important definitions

Phishing is a means by which fraudsters attempt to obtain sensitive information such as usernames, passwords, credit card numbers and the like – phishing is also used to plant malware on the device of a target. Primarily achieved via email, fraudsters present themselves as a known or trustworthy entity and use email content to entice the recipient to open an infected attachment or a link to a malicious website. Similar schemes conducted via SMS/text messaging are known as “smishing.”

Malware is shorthand for malicious software which consists of code developed by the criminals designed to intercept data, damage your systems or gain unauthorized access to a network. Types of malware include viruses, spyware, Trojans, and bots – dangerous software that you don’t want on devices used by your business.

Malware is typically delivered through a phishing email in the form of an infected attachment or a malicious website that, once clicked on or opened, executes the malware.

Social engineering may be the single biggest fraud threat that corporate treasury and accounts payable staff are facing today. It incorporates elements of malware, phishing and smishing and is based on manipulating people into performing actions or divulging confidential information that they should not. At its core, it manipulates the emotions of the target. While some social engineering fraud schemes are pretty easy to spot, other schemes, especially those targeting your business, can be sophisticated, calculated and convincing.

Exploiting the Coronavirus Pandemic

Today’s challenges have created ways for bad actors to more easily use phishing and social engineering to get their hands on your company’s funds. We've seen a sharp increase in phishing emails using coronavirus and associated themes in the subject line – such as local infection rates, treatments, PPE, and vaccines –purporting to come from trusted organizations, such as a prominent hospital or government agency. Anxious employees eager for information about the pandemic find the attachments and links in these emails very enticing and are targets for criminal behavior.

Companies are more vulnerable today because many are using non-standard operating processes and procedures as it has become necessary to adapt to non-traditional work arrangements. Many, if not all office staff are working from home. Employees responsible for payments activities likely do not have access to the same paper-based backup that you may typically require for payment requests. Similarly, there may be more manual work involved to initiate a payment compared to automated systems with built-in controls. As a result, in an attempt to keep the business running smoothly and minimize payments processing delays, employees may be tempted to shortcut standard controls at the precise time they should be doing exactly the opposite.

With so many of us now working from home, most of our business interactions are conducted via email – even more than usual. It’s to be expected that a crime which uses email as its primary attack vector, such email compromise (detailed below), has a higher likelihood of success in this environment.

The Scary Statistics

A recent survey conducted by the Association for Financial Professionals found that:

  • 88% of organizations reported that they experienced actual or attempted payments fraud.
  • 80% of organizations reported that they were exposed to social engineering fraud in the form of Business Email Compromise.
  • Of those organizations reporting that they were exposed to Business Email Compromise (BEC), 38% actually experienced a loss.[2]

In addition, more than 23,000 cases of BEC scams with victim losses of $1.8 billion were reported to the FBI in 2019.[3]

The financial losses to one company can be significant. It can be especially devastating now when cash flow is more important than ever to maintaining your business.

How Business Email Compromise Works

In all cases, BEC schemes begin with a criminal impersonating a known or trusted source. This could be a company executive, a supplier, an employee, or some other party that's known to the target. These criminals use a spoofed email account (an account that's made to look legitimate by using visual tricks in the email domain name or variation of the legitimate account) or, even more dangerous, they use a legitimate account that has been commandeered. The fraudster requests an urgent payment or changes to established payment instructions. .

Criminals get the information they need to identify potential targets and craft compelling email requests by:

  • Reading legitimate email traffic in a compromised mailbox.
  • Browsing the Internet and professional social media sites to discern who may be part of the financial hierarchy at an organization.
  • Sending spam emails with the hope of receiving out of office autoreplies which can provide them with valuable information about the targets backup work context and how long somebody will be out of the office.

There are a couple of ways in which a malicious actor can spoof an email account. First, the criminal can register an email domain that is a legitimate-looking variant of your email domain or that of the supplier the criminal is trying to impersonate. Let’s look at a fictitious example to illustrate how the works: Steel City Corp uses steelcitycorp.com as their email domain. Someone looking to impersonate emails from Steel City Corp could register steelcityco.com, or steelcity.com – and you might not notice that difference when reading an email.

Second, they can mimic legitimate sites using visual tricks. Let’s look at another fictitious example: abcsteelworks.com could be spoofed as abcsteelvvorks.com (the bad actor replaces the ‘w’ with ‘vv’) or abcstee1works.com (replacing the ‘l’ with the number ‘1’). There are other common substitutions such as interchanging ‘m’ with ‘rn’ ‘q’ and ‘g.’

People are fooled by these visual tricks every day and it's not because they aren’t astute or observant. It's because they’re expecting to see it correctly.

To pull off the scam, the fraudster needs to preserve an aura of secrecy. They don’t want the recipient of the email to discuss the request with others. So, the request is often positioned as a payment for a confidential reason, like an acquisition or important investment. In order to elicit an emotional response, the requestor will warn of some negative consequence for failure to act quickly.

The requestor will insist on communication via email. If the criminal is communicating from a spoofed or hacked email account, it's easy for them to maintain the impersonation since the target will never speak to the executive or trading associate whom the fraudster is impersonating.

And lastly, the requester will insist on immediate confirmation, again, typically via email, when the payment is executed. This allows them to quickly move the funds to a different account making it more difficult, if not impossible, to recover the funds.

Protection Strategies

To defend your organization against BEC threats, you must have procedures in place to:

  • Verify the authenticity of email payment requests or requests to change payment instructions.
  • Validate that request directly with the purported requester. The verification must be by direct contact with a known individual using a known telephone number. It is critical not to verify the payment via email or with the telephone number provided in the email.
  • Map out your payment workflows all the way back to the source of where the request enters your organization to make sure you've got the right controls in place to validate the payment throughout the chain.
  • Consider using an account verification service to match the beneficiary name for your payment with known information about the beneficiary account. Account verification services can help identify discrepancies between the beneficiary name on the payment account and your intended beneficiary so you can stop, verify and validate the information before releasing the funds.

Account Takeover

The term “account takeover,” for purposes of this article, generally refers to theft of our online banking credentials (your “account”), but broadly refers to the theft of any online credential you use for secured access.

Most account takeovers begin with a phishing attack which, as noted earlier, entices a user to open an infected attachment or visit a malicious website, leading to a malware infection. The malware can take the form of keystroke loggers, which can capture your online credentials and other sensitive information. Some malware strains redirect an online banking user to a fake site that looks identical to the legitimate online banking login page. When the unsuspecting user enters their credentials, the malware passes those credentials on to the criminal who uses them to log into the legitimate site.

How to Recognize a Malware Infection

One of the most noticeable signs of a malware infection that has redirected your online banking session is the use of “stall screens” to gather additional information the criminal needs to log in to the legitimate site and keep the user engaged on the imposter site. Stall screens typically will prompt the user for additional credentials, such as responses to security questions or one-time passcodes, or make a request to have another online banking user provide their login credential.

You may even be prompted to enter your contact information and then receive a phone call a few minutes later purporting to be from the bank asking you to answer your security questions or provide your token pass code.

Protecting Against Malware

You can protect your business from these tactics by:

  • Verifying the employees who initiate payments for your company using online banking are aware of these fraud schemes to pay attention to what's happening when they log into their bank portals.
  • Encouraging online banking users to be aware of normal login patterns so they can spot anything unusual and call the bank immediately.
  • Maximizing the use of the bank security features including an optional protection software called IBM® Security Trusteer Rapport™ which helps protect you against malware infections.
  • Continuing to talk with your treasury management officer or your banker who can review your current service mix and your use of security features to improve your protections.

Ready to Help

For more insights about risk and how PNC can help you defend your business, please contact your Treasury Management Officer or visit pnc.com/accountverificationservices to download a copy of our most recent Cyber Security Resource Guide or a Business Email Compromise infographic for quick reference.