BEC Fraud: The Rising Threat in Your Inbox

Mary Suddeth and Desmond Haygood

The rise of the internet’s information superhighway is not without drawbacks. One of the costliest is the advent of online fraud. The threat of internet fraud is real for individuals and businesses — old or young, big or small. In fact, over the past five years, the FBI received an average of more than 750,000 complaints of internet scams.1

It is common to hear of older individuals ‘falling for’ these online scams, but the reality is that anyone who communicates over email for business is also at risk. Cyberfraud criminals know the importance of email to business communication and transactions, and they are using that knowledge to their advantage. One report states that email is used for a wide range of business purposes, with the most common being internal and team communications (74%) and client communication (70%).2 In fact, 91% of survey respondents said they use email to communicate with clients, and 61% prefer to use it more than any other form of communication.3 Criminals know this, are targeting business email users and are doing so effectively, leading to large increases in email scams and fraud.

As artificial intelligence (AI) and other technologies emerged, threat actors were able to perpetrate more sophisticated, brazen business email compromise (BEC) schemes. One of the most common BEC scams is an email written in a manner that appears to make a legitimate request — typically involving money — from a colleague or business contact. For example, the email appears to be a CEO or CFO asking an employee to wire money or a vendor asking for payment to a new bank account. In 2023 alone, the FBI received over 21,000 BEC complaints with adjusted losses over $2.9 billion, compared to losses of $1.8 billion in 2019.4

Financial data is the holy grail for business email fraud.

Given the volumes of financial information, sensitive data, and account access employees within the financial services industry have, it is not surprising that the industry is more often targeted for BEC fraud than any other. According to cloud email security company Abnormal Security, in 2023 there was a staggering 71% increase in BEC attacks against the financial services industry.5 Equally concerning is that the data also shows the median open rate for text-based BEC attacks was almost 28% and that an average of 15% received replies.6

Wire transfers and automated clearing house payments present unique fraud risks.

The internet set the precedent for instant gratification. This “right-now” environment is particularly dangerous for the payments and finance sectors, where cybercrime is an inherent risk. Given their transactional speed, it is not surprising that wire transfers and Automated Clearing House (ACH) payments are the most popular forms of money transfer. However, these tools are also vulnerable to BEC fraud. ACH transactions are trackable for 24 hours — that is, if the victim even detects the fraud that quickly. However, once the funds in a wire transfer leave the initiating institution, that bank has no way of tracking them or retrieving them for the account holder.

Nacha guidelines will expand ACH transaction protections.

Cybercriminals and the technologies they use are becoming more sophisticated. Financial institutions seeking assistance to prevent ACH fraud will receive welcome relief. Nacha recently announced rules that will aid financial institutions in detecting ACH-based fraud and recovering funds. Guidelines, effective October 1, 2024, permit Originating Financial Depository Institutions (OFDI) to submit return requests for any reason and require Receiving Financial Deposit Institutions (RFDI) to provide a return request status to OFDIs within 10 banking days. While RFDIs are not required to return the requested funds, they must notify the OFDI within the designated time.

Collaborate with a trusted partner to mitigate BEC risks.

A strong relationship with your bank can serve as a critical line of defense in preventing and mitigating BEC fraud attacks. For example, banks can assist with monitoring suspicious activity, verifying requests for changes to vendor or employee payment information and working with law enforcement in business email fraud cases.

In addition, most banks offer fraud mitigation solutions such as positive pay, which verifies check and ACH payments before they are processed. They can also provide education and real-time updates on emerging fraud trends to help businesses stay ahead of potential threats.

Adopting a sound risk management strategy and working closely with a trusted financial institution can help prevent falling victim to a BEC scam and ensure secure financial operations.

For more information on how Synovus can help your organization mitigate BEC fraud, complete a short form and a Synovus Treasury & Payment Solutions Consultant will contact you with more details. You can also stop by one of our local branches.

Mary Suddeth is Director of Business Development, Treasury & Payment Solutions, at Synovus Bank

Desmond Haygood is Government Solutions Relationship Manager at Synovus Bank