Automatic Clearing House Fraud (ACH Fraud) is a growing trend among hackers who steal money from business bank accounts. You probably know that… but did you know you could lose your money because your business bank account doesn’t have the same protection privileges as a personal bank account?
This probably came as a total surprise to you. The thought that a hacker can take money from your business account, and the bank is not responsible for getting your money back is very unsettling. If you are skeptical about it, contact your banking institution directly to find out what their policy is on refunding your money stolen from your business account. Many people think FDIC protects you from fraud; it doesn’t. It protects you from bank insolvency, not a fraud. This misconception often results in money stolen from their business checking accounts while victims are not even aware until it is too late.
Most small businesses use ACH and online banking, and there is always an opportunity for cybercrime. According to the FBI, approximately 1 billion dollars were stolen from small business accounts in 2011, although not all of it was BEC-related crimes. In late 2013 the FBI’s Internet Crime Complaint Center (IC3) began tracking BEC scams. At that time, compiled statistics on more than 7,000 U.S. organizations that have been victims of BEC experienced losses of over $740 million; not including foreign-located U.S. businesses or losses not reported to the FBI.
According to Kaspersky Lab, in 2015, there were 1,966,324 registered reports about attempted malware infections designed for money theft by gaining online access to bank accounts. As we can imagine, some of these attempts were successful.
BEC in numbers
According to the FBI, this type of cybercrime has been affecting businesses in every U.S. state, and in 100 countries in the rest of the world, with the majority of fraudulent transfers going to banks in China. The BEC scam continues to grow and to affect businesses of all sizes, at an alarming rate. Only From January 2015, there has been over a 1,300% increase in identified exposed losses – meaning both actual and attempted losses.
Based on FBI IC3 reports here are some shocking numbers:
|Domestic and International victims:||22,143|
|Combined exposed dollar loss:||$3,086,250,090|
The following BEC statistics were reported in victim complaints to the IC3 from October 2013 to May 2016:
|Domestic and International victims:||15,668|
|Combined exposed dollar loss:||$1,053,849,635|
|• Total U.S. victims:|
• Total U.S. exposed dollar loss:
• Total non-U.S. victims:
• Total non-U.S. exposed loss:
Beware of these top 5 Business Email Compromise Schemes
“BEC Schemes” – sometimes also referred to as “Man in the Middle” – have contributed to a significant rise in cybercrime in 2015, with several versions popular among criminals. BEC is defined as “a sophisticated scam targeting businesses working with foreign suppliers and/or businesses that regularly perform wire transfer payments. The scam is carried out by compromising legitimate business email accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds.”
Please, get familiar with these BEC schemes below so you can be more vigilant in protecting your business accounts. We also recommend sharing this information with your employees and colleagues.
1. The Invoice Scheme
Scheme concept: an email comes from a vendor with a request to wire funds for invoice payment to a specific (fraudulent) bank account. This scheme is also known as “The Bogus Invoice Scheme,” “The Supplier Swindle,” and “Invoice Modification Scheme.”
How it works: A business receives a request to wire funds for invoice payment. The request may be made via telephone, fax, or email. If an email is received, the subject will spoof the email request so it appears very similar to a legitimate account and would take very close scrutiny to determine it was fraudulent. Likewise, if a facsimile or telephone call is received, it will closely mimic a legitimate request.
2. CEO Scheme
Scheme concept: An employee transfers money to another financial institution on a fake request from the company’s CEO or another executive received via email. This scheme is also known as “CEO Fraud,” “Business Executive Scam,” “Masquerading,” and “Financial Industry Wire Fraud.”
How it works: The email accounts of business executives (CFO, CTO, etc.) are spoofed or hacked. A request for a wire transfer from that email address is made to another employee within the company who is normally in charge of processing requests from executives and payments; typically someone from Accounts Payable.
In a modified version of this scheme, in cases where criminals who have access to an email account can identify established financial institution contacts in this employee’s contact list, an email request may be sent from compromised email address directly to the financial institution with a request to send funds to a specific (fraudulent) bank for a certain reason.
3. Vendor Scheme
Scheme concept: vendors are paying invoices on request from a business employee whose email was compromised.
How it works: An employee of a business has his/her personal email hacked. Requests for invoice payments to fraudulent bank accounts are sent from this employee’s email account to multiple vendors identified from this employee’s contact list. The business may not become aware of the fraudulent requests until they are contacted by their vendors to follow up on the status of their invoice payment.
4. Authority Impersonation
Scheme concept: The victim is contacted to wire money to certain financial institutions on urgent requests from fictitious legal representatives.
How it works: This scheme often occurs at the end of the business day or work week; it may also be timed to line up with the daily closing time of international banks and financial institutions. Victims are contacted by cybercriminals who most often falsely identify themselves as lawyers, representatives of law firms, or other business executives. Businesses may be contacted either by phone or via email. Fraudsters claim to be handling personal, confidential, or time-sensitive matters, request to transfer funds in secrecy, and pressure victims to act quickly.
5. HR Data Scheme
Scheme concept: Victim receives a fraudulent e-mail requesting either all Wage or Tax Statement (W-2) forms or a company list of Personally Identifiable Information (PII).
How it works: These fraudulent requests are typically sent during tax season, yet they do not appear to be connected to other types of tax scams. An employee in the business organization responsible for the paperwork such as W-2 and other PII documents in HR, bookkeeping, or auditing section, receives a bogus request for paperwork containing Personally Identifiable Information (PII) from a compromised HR or a business executive email address, prior to a traditional BEC incident.
If you suspect that you or your business have been a victim of a BEC or online fraud, you may file a complaint directly with FBI Internet Crime Complaint Center.
7 Practical Tips For Protecting Your Business from Bank Fraud:
- Remember to always archive or destroy copies of checks and paperwork that contain the only two pieces of information criminals need to steal money through ACH Fraud: Your business checking account number and a bank routing number.
- Only use a business debit card for POS purchases you make in person, and never use debit cards for online transactions.
- Have a dedicated PC for online banking and DON’T use that PC for accessing any other websites, e-mail access, social media sites, or for downloading files and applications.
- Set up e-mail alerts on your account to be notified when money is withdrawn from your business account. The FASTER you will be aware of any fraudulent charges, the better your chances are of stopping the hacker. If you contact the bank IMMEDIATELY, you have a high probability of keeping your money.
- Always require YOUR signature for all wire transfers.
- Divide and conquer: split your money into several accounts to minimize the risk of fraud. Consider using a separate checking account for paychecks and online bill pay.
- Have professional, reliable cybersecurity protection, not just for the PC dedicated to banking, but your entire business computer network.