Business email compromise (BEC) is one of the most financially damaging online crimes today, according to the FBI. In fact, BEC attacks are at the top the Forbes list of the biggest cybersecurity threats for 2023.
These scams exploit the fact that so many of us rely on email to conduct business today. In a BEC scam, cybercriminals send fraudulent emails with a legitimate request that appear to come from a trusted source such as a company executive, employee or vendor. Examples include a vendor who sends an invoice with an updated mailing address or a homebuyer that receives a message from their title company with instructions for wiring their down payment.
BEC scams rely on social engineering to create a sense of urgency and manipulate victims into acting quickly. They typically ask the recipients to transfer funds, making the payouts on these scams highly attractive for cybercriminals. According to the most recent report from the FBI’s Internet Crime Complaint Center, BEC-related losses totaled nearly $2.4 billion in 2021.
Here are a few BEC scams that CPA firms need to know:
Tax season BEC scams
As the Internal Revenue Service (IRS), state tax agencies and the tax industry gain headway in thwarting identity theft, cybercriminals are forced to gather more and more data to impersonate real taxpayers. The IRS recently warned businesses and payroll service provides about a particularly dangerous BEC scam that involves Form W-2/SSN Data Theft.
Calling it one of the most dangerous phishing emails facing the tax community, the IRS explains how the scam works: Cybercriminals identify chief operating officers or others in positions of authority and pose as these executives to send emails to payroll personnel requesting copies of Forms W-2 for all employees. The cybercriminals then use the employees’ name, address, Social Security number, income and withholdings to file fraudulent tax returns or post the information for sale on the dark net. Other deadline-sensitive actions that are popular targets for BEC attacks include tax filings, benefits enrollment periods or an upcoming audit.
Supply chain BEC scams
A Toyota auto parts supplier became the poster child for BEC attacks in 2019 due to the company’s high-profile and its massive payout. It also showed how social engineering can bypass even the most sophisticated security programs by targeting people instead of infrastructures.
The attackers contacted the finance and accounting department of a Toyota subsidiary posing as a legitimate business partner and convinced someone with financial authority to change account information on an electronic funds transfer. They also created a sense of urgency by claiming the transaction needed to be completed quickly to avoid slowing down production. It worked. The company transferred more than $37 million in a parts order to the scammers.
Gift card-related BEC scams
Gift card scams have long been popular with cybercriminals because the cards operate like cash. And while the money they make from these scams is substantially less than from wire transfers, there is a higher probability of success because the amount is often small enough to evade a company’s financial controls. In fact, a 2020 examination of BEC attacks by the Anti-Phishing Working Group found that 66% involved gift cards. By contrast, bank transfers made up 18% of attacks, followed by payroll diversions at 16%.
In a typical scenario, the attackers impersonate a trusted person like the CEO who asks the targeted victim to purchase and send them multiple eGift cards for a work-related function or other special occasion. One recent gift card scam targeted Jewish temples and synagogues. The cybercriminals impersonated rabbis in emails and asked congregants to purchase gift cards for a fundraiser and send them pictures of the serial numbers.
How To Protect Your Firm From BEC Scams
- Employee training and education are essential to minimizing the risk of becoming the victim of a BEC scam. Make them aware of social engineering threats and train them to spot fraudulent email.
- Don’t click on anything in an unsolicited email or text message that asks you to update or verify account information. Contact the company directly to determine if the request is legitimate.
- Carefully examine the email address, URL and spelling used in any correspondence. Scammers use slight variations to trick victims into thinking fake accounts are authentic and gain their trust. For instance, [email protected] vs. [email protected].
- Verify payment and purchase requests in person, if possible, or by calling the contact to make sure it is legitimate. This includes any change in account number or payment procedures.
- Be especially wary if the requestor is pressing you to act quickly.
- Make sure your IT infrastructure is protected. Malicious software can infiltrate company networks and gain access to legitimate email threads about billing and invoices. That information is then used to time requests or send messages so accountants or financial officers don’t question payment requests.
Data from the Association of International Certified Professional Accountants (AICPA) cites an alarming 80% increase in reported data breaches by CPA firms between 2014 and 2020. To keep pace with the growing number of large-scale data breaches, including threats such as BEC scams, the Federal Trade Commission (FTC) recently amended its Safeguards Rule.
The stronger regulations – most of which took effect on June 9, 2023 – require covered financial institutions to develop, implement and maintain an information security program with administrative, technical and physical safeguards designed to protect customer information. It defines a "financial institution" as any business that engages in financial activity, meaning accounting firms must comply.
Now, more than ever, CPA firms need to understand the different types of infrastructure protections and testing that are necessary to fully assess their risk from cybersecurity threats and take steps to mitigate them. This includes regular penetration testing to monitor and assess the effectiveness of their information security safeguards.
Coaxis Hosting is an endorsed program for the FICPA that provides CPA firms with a fully hosted and managed network solution designed to remove the complexities of federal and industry compliances, curb the demands of maintaining an IT infrastructure, and greatly minimize the threat of cybercrime. The company partners with SXIPHER, a leading ethical hacking company that supports clients in shifting from a defensive to an offensive posture by providing in-house penetration tests. To learn more, visit www.coaxiscloud.com/ficpa or contact Lisa Bryant, executive vice president of corporate development, at (850) 391-1022 or [email protected].