#Workplace #Human Resources #Employer

A BEC Scam Cost a Local Company Over Half a Million Ringgit

Mohamad Danial bin Ab. Khalil
by Mohamad Danial bin Ab. Khalil
Feb 20, 2021 at 5:47 PM

A local company lost over half a million ringgit after a scammer posed as one of its suppliers. The scam technique is known as business email compromise (BEC).

The complainant said that the company had received an email from a supplier asking them to make payment to a different bank account as there was an issue with their original bank account.

After making the payment, the company then received another email from the supplier, stating that they had not received the payment. The supplier also denied sending the original email or changing its bank account. 

As a result, the company suffered losses worth RM741,254. State police Commercial Crime Investigations Department chief Asst Comm Mohd Salleh Abdullah urged the public, specifically those managing company finances, to be cautious when communicating via emails. 

According to him, the public should:

  1. Check through phone calls before making any transactions, 
  2. Ensure that the bank account belongs to the actual recipient, and
  3. Stop from clicking on any suspicious emails as it may be malware. 
  4. Use the police's "Semak Mule" online application and website to check accounts used by scammers to avoid being scammed. 


What is Business Email Compromise?

Business Email Compromise (BEC) is a scam that targets businesses working with foreign suppliers and companies that usually perform wire transfer payments. These schemes compromise official business email accounts by conducting unauthorised fund transfers.


How does BEC work?

This scam usually starts with an attacker compromising a business executive's email account. Through keylogger malware or phishing methods, the attackers create a domain just like the company they're targeting or a spoofed email that tricks victims into providing account details. 

After monitoring the compromised email account, the scammer will attempt to determine who initiates transfers and who requests them. The scammers usually research and look for a company with a change in leadership in the finance function, companies where executives are travelling, or by leading an investor conference call. They use these as opportunities to perform the scheme.

The BEC scam mostly depends on social engineering. It does not need sophisticated system penetration. It's not the same as phishing scams, as the emails used in BEC scams are not mass-emailed to avoid being flagged as spam. 

Additionally, in BEC scams, the victims are tricked into doing the transfer for the scammer. The scammer would instruct the victims to act fast when transferring funds. 


Three versions of BEC scams


1. The Bogus Invoice Scheme

Source: Trend Micro

This version typically involves a company that has an established relationship with a supplier. The scammer will ask to transfer funds for invoice payment to an alternate, fraudulent account through spoofed email, telephone, or fax.


2. CEO Fraud

The scammer will identify themselves as high-level executives, lawyers, or other types of legal representatives and appear to be managing confidential matters and initiate a wire transfer to an account they control. 

In a few cases, the fraudulent request for wire transfer is transmitted directly to the financial institution with instructions to send funds to a bank as soon as possible. 


3. Account Compromise

Just like the two other versions, an employee's email account is hacked and then used to make requests for invoice payments to bank accounts that scammers control. Then, they send messages to multiple vendors identified from the employee's contact list. 

The business may not be aware of the scheme until a vendor follows up to check for the invoice payment status. 


4. Attorney Impersonation

The scammer contacts either the employees or the CEO and identifies themselves as lawyers or representative of law firms. The scammer would claim that they are managing confidential and time-sensitive matters. 

Usually made via phone or email, the scammer pressures the contacted party into acting quickly or secretly in managing the fund transfer. They typically conduct this scheme at the end of the business day or work week, when employees are preparing to clock out and thus vulnerable to panic. 


5. Data Theft

Source: Trend Micro

This scam involves the scammer compromising a role-specific employee's email (typically human resources) and then use it to send requests (not for fund transfer but) for personally-identifiable information of other employees and executives. This method serves as a jump-off point for more damaging BEC attacks against the company itself. 


Nowadays, we are even more vulnerable to scams, as many people work remotely. We should remind our staff to stay alert and verify the messages before transferring the company fund. 


Sources: The Star, Trend Micro

Learn more about AJobThing!

Articles that might interest you

Income Tax E-Filing for 2020 Begins on March 1
Access Unlimited & Free Online Training Courses at e-LATiH 
Six Tough Things a Manager Must Always Remember