In a little-known story that ran in some local newspapers in May of 2022, a snack and sweets manufacturing firm was duped of over INR 43 lac, the rough equivalent of USD 55,250. This is by no means a small amount for an SME business in India. An official of the firm Siddhivinayak Agri Processing Pvt. Ltd. lodged a complaint with the Wakad Police in Pune, and a case was registered under section 420 of the IPC and relevant sections of the IT Act. Here is what transpired. The food processing firm had ordered a conveyor machine from the US based vendor Cablevey Conveyors. The former made a payment for the consignment to a bank account with a private bank located in Rockwall in the US. So, what went wrong? The payment had been erroneously made to a scammer. The Pune based firm received an email from the ‘supplier’ requesting that the payment be made to a different account number than usual, due to some ‘problems’ with that bank account. The officials suspected something was amiss and asked for the invoice copy along with the stamp and signature. And voila! the scammers were able to furnish it. On checking the document, a payment was issued. However, sadly it turned out that the payment was sent to the scammers who were orchestrating the whole scheme through the US vendor’s hijacked email.

Business Email Compromise, or BEC for short is a scam targeting businesses or individuals working with suppliers and/or businesses regularly performing large value wire transfer payments. These sophisticated scams are carried out by fraudsters by compromising email accounts or other forms of communication such as phone numbers and virtual meeting applications, through social engineering or computer intrusion techniques to conduct unauthorized transfer of funds. As part of this modus operandi typically, the scammer ‘watches’ the legitimate traffic of a compromised business email for a big order or contract and when the time is right, he/she swoops in and sends and receives emails to take control of the conversation regarding a potential inbound payment and then redirecting it fraudulently to their own account. The manipulation invariably includes covering of tracks by the deletion of the sent email, changing the contact credentials on the mail signature by a digit here or there to ensure there is no contact between the email owner and the victim and similar underhand tactics to stay under the radar.

As per the FBI’s Internet Crime Report for 2022, BEC was the second largest cybercrime in the US in terms of losses to the victim which was close to $2.7 billion, which was a not so distant second to investment fraud (no surprises there). To give more context to that number, the loss to victims from say, all of SIM swap fraud was $72.6 million for the same year, as per the FBI reporting. So BEC as a crime bucket is staggeringly large, and what’s worse is that it has been growing consistently from year to year since 2019. Any dent we can put on a number that big would be worthwhile.

Here I have quoted the story of just one business in India, however in the US, BEC is unfortunately far more common and has swept away several thousands of small businesses, home buyers, property investors and retired pensioners through such scam wire schemes. There were almost 22 thousand victims of this crime in 2022 alone. So, one can see that the loss per victim exceeds $125,000 on average, enough to wipe out a middleclass home buyer’s nest egg. And note, thats just an average. I have unfortunately borne witness to far more heart-breaking cases. Particularly in the real estate sector, given the size and frequency of large wires is particularly juicy to scammers.

There are of course many issues here to solve. Firstly, wire payments to the wrong party are not easily spotted as the receiver information is not directly verifiable by the originator. Second once the money is wired, it is quickly exited into cryptocurrency assets making recovery by LEAs virtually impossible. Thirdly, since these payments are done by the individual or business whose credentials are themselves not compromised, it makes the job of the bank infinitely harder to detect the fraud. At the time, when I managed strategy for this sort of fraud in a bank, this used to be my most common case study for interviews questions. I got lots of good suggestions like ‘hey, we should place a warning on the add recipient page’, or ‘maybe we should ask if a recent payment instruction change has been made’ or ‘how about we add recipient information for verification’ etc. The one thing I think is a very simple small step and all title companies, attorneys, or just all businesses in general etc. can easily take without a major investment is this – send a simple public service announcement to all employees, customers and third parties saying “We do not plan on making any changes to our payment instructions or processes. If you receive a change in payment instruction or an unexpected payment request from us whether via email, virtual meeting platforms, or audio by any of our executives, please call the number in your record previously used by you to communicate with us to confirm the instruction. Thank you.” If all businesses did this maybe we could stop many unsuspecting businesses from getting wrecked and household savings from getting wiped out.