Protect yourself against BEC fraud

BEC fraud is not a term you hear every day. But according to the Public Prosecution Service in the Netherlands, BEC fraud is a growing concern. This email scam can cost you a lot of money – even if you run a small business. Learn more about BEC fraud and how to avoid it.

Cyber Magazine SECURE IT!

Cyber magazine SECURE IT! contains tips and information on how to secure your business online.

Read it

Early in 2021, a company from the Dutch town of Leimuiden made arrangements with a European supplier. After emailing back and forth, the company placed an order and received two invoices totalling €80,000. Until that point, it seemed like a normal business deal. In May 2021, the supplier contacted them to ask: ‘Where is the payment?’ It turned out the company from Leimuiden had not transferred the money to the real supplier, but to criminals. This was a real example of BEC fraud (in Dutch).

1. What is BEC fraud?

BEC stands for Business Email Compromise. Criminals use your business email traffic to scam you. There are different types of BEC fraud, but 2 things are almost always part of it: the criminals use email, and they pretend to be someone else.

CEO fraud

A well-known form of BEC fraud is also called CEO fraud. In this, an employee receives an email from ‘the boss’, asking the employee to transfer a sum of money. In the end, ‘the boss’ turns out to be a criminal who receives the money. A well-known example is the Pathé case in 2018 (in Dutch). The cinema chain unknowingly transferred a total of €19 million to criminals. And at the beginning of 2022, a Rotterdam steel company lost more than €11 million due to CEO fraud.

Invoice fraud

Another type of BEC fraud is invoice fraud. You get an invoice that you are expecting, but the account number on the invoice has been changed. The money you transfer does not go to your supplier, but to the criminal. Sometimes the criminals even write in the email that the company has a new bank account number. They then ask you to update the account number in your accounting system.

Spoofing

How do criminals convince you that the mail comes from your supplier? “It may be that the email address has been spoofed, or even taken over,” explains Koen Hermans. He works as a prosecutor for the Public Prosecution Service, and sees examples of BEC fraud every week.  “Then you cannot tell from the email address that the email actually comes from someone else. But we also see a lot of 'typosquatting'. That means the scammer changes a letter or number in the mail address. Nobody usually pays attention to that.” For example, if the real address is info@kvk.nl, the criminal might use info@kvk.nu. Or even @kvk.nI, where the last letter of the mail address is a capital ‘i’.

The moment you think ‘this is strange’, pick up the phone and call the sender.

BEC fraud and small businesses

According to Hermans, BEC fraud is also a danger to smaller companies and foundations. “One report I saw was from a company that had an annual turnover of around €200,000. Because of the fraud, that turnover was halved. So yes, BEC fraud can happen to companies that do not have millions in turnover.” In April 2021, the treasurer of a sports club (in Dutch) received a payment request from the chairperson by email. It asked him to transfer €3,500. When the treasurer called the chairperson, it turned out they had not sent that email. “The moment you think ‘this is strange’, pick up the phone and call the sender,” advises Hermans.

Financial losses

The actual losses caused by BEC fraud in the Netherlands are difficult to estimate, says Bert Feskens, a security expert at Security Delta HSD. “Few companies report cybercrime (in Dutch) because they fear reputation damage or are embarrassed. So we are dealing with underreporting.”

Preventing BEC fraud

These tips that will help you prevent BEC fraud:

  1. Put up technical barriers. For example, set up your accounting system in such a way that it is difficult to change an account number. Also make sure the security of your email system is in order, so it is more difficult for criminals to abuse your email address.
  2. Use the ‘four eyes principle’. Always have several employees look at invoices above a certain amount. Do you see something unusual? Then contact the supplier by phone to check the invoice. Never do this by email, as criminals may have hacked your mail server and intercept your email.
  3. Create an open company culture. If employees are not afraid to ask you questions and can give feedback, they are more likely to report a suspicious situation. So an open attitude toward your employees can also prevent BEC fraud.
  4. Pay extra attention during holidays. Criminals often strike when staffing levels are lower, during weekends or holidays.

Scammed, what next?

What should you do if you have been scammed through BEC fraud? Follow these steps:

  1. Call your bank immediately. Criminals usually move the money quickly to another account. But if you are in time, the bank may be able to transfer the money back to your account. 
  2. Contact your IT administrator, if you have one. Your email server may have been hacked. So, tt is good to have an expert look into it with you.
  3. Report it to the police. The police and the Public Prosecution Service can only take action when they are informed. If you do not report it, they cannot do anything against the criminals.
  4. Report the fraud to the Fraud Helpdesk. They warn other entrepreneurs.

Hackhelpdesk

Have you been hacked or do you think you have been hacked? On Hackhelpdesk.nl (in Dutch) you can find a step-by-step plan and practical solutions to prevent further damage. Also see the article Hacked, what to do? on Business.gov.nl.