Built on a combination of spearphishing, reconnaissance, and social engineering, business email compromise has become big business.  The FBI just announced that criminals attempted to steal over $5 billion thus far with this scheme.  What is even more disconcerting, though, is that among small businesses this scheme isn’t anywhere near the top of their list of concerns, despite losing $3.1 billion in fraud (according to Javelin’s last Small Business Fraud Report).

For the uninitiated, business email compromise involves a criminal posing as a legitimate employee within an organization, typically a senior executive and often involving the compromise of their business email account.  The criminal will then leverage information known about the business, such as who they do business with, upcoming projects and pending payments.  They will use this information to make an internal request to the business’s accounting department to issue a payment under false, but convincing terms, to an account under the criminal’s control.  For their FI, the ultimate payment request comes from a seemingly legitimate, authenticated source.  And no one is the wiser, until it is too late.   

But how is this the FI’s problem?  Woe be to the banker who considers this their client’s problem, expecting that their absence of any legal obligation to make their client whole affords the FI protection.  Small business relationships can be quite valuable, spanning any number of products, including cards, loans, and merchant services.  And yet, 1 in 4 cases of fraud motivates small businesses to switch FIs. 

So what are a banker’s options?

1.Educate your client

2.Institute more effective controls

3.Absorb the cost

4.Risk losing the banking relationship (and those of other profitable products)

It won’t be long until the FBI’s next report on business email compromise.  By then many more businesses will have been defrauded, undermining the businesses themselves and relationships they have with their FIs.  So, what should bankers do?  Knowing these facts, the choice is obvious.  Bankers need to do the right thing and be the partners that their business banking clients have trusted them to be.  There is no other option.


Author

About Al Pascual

An accomplished industry analyst, market researcher, and financial industry practitioner, Al Pascual is Javelin’s Research Director and Head of Fraud & Security. As Research Director, Al leads Javelin’s Advisory Services and Custom Research businesses. He oversees growth of these businesses while ensuring that Javelin’s research content meets quality standards and provides the innovative perspectives that clients expect from the firm.

As Head of Fraud & Security, Al provides clients actionable insights on a variety of fraud and security issues, acts as a partner in developing strategies for managing risk, and identifies and raises awareness of future threats and solutions. Al researches a range of topics, including the applicability of biometrics in banking and payments, the effect of data breaches on the integrity of consumer identities, the relationship between identity fraud and loyalty, and the best methods for securing payment data and transactions.

Al has presented findings from Javelin’s rigorous, industry-leading research at conferences around the world, including BAI, CARTES, Money20/20, NACHA, and RSA. Al has provided commentary on fraud and security issues to American Banker, Bloomberg, CNNMoney, Fox Business, Reuters, The New York Times, The Wall Street Journal, The Washington Post, and Wired.

Previously Al held risk management roles at HSBC, Goldman Sachs, and FIS. He is a member of the Association of Certified Fraud Examiners, the International Association of Financial Crimes Investigators, and the Federal Reserve Secure Payments Task Force. Al also serves on the board of advisers to the Information Security Media Group. He earned a Bachelor of Arts degree in History from the University of South Florida.

Stay in Touch!