Built on a combination of spearphishing, reconnaissance, and social engineering, business email compromise has become big business. The FBI just announced that criminals attempted to steal over $5 billion thus far with this scheme. What is even more disconcerting, though, is that among small businesses this scheme isn’t anywhere near the top of their list of concerns, despite losing $3.1 billion in fraud (according to Javelin’s last Small Business Fraud Report).
For the uninitiated, business email compromise involves a criminal posing as a legitimate employee within an organization, typically a senior executive and often involving the compromise of their business email account. The criminal will then leverage information known about the business, such as who they do business with, upcoming projects and pending payments. They will use this information to make an internal request to the business’s accounting department to issue a payment under false, but convincing terms, to an account under the criminal’s control. For their FI, the ultimate payment request comes from a seemingly legitimate, authenticated source. And no one is the wiser, until it is too late.
But how is this the FI’s problem? Woe be to the banker who considers this their client’s problem, expecting that their absence of any legal obligation to make their client whole affords the FI protection. Small business relationships can be quite valuable, spanning any number of products, including cards, loans, and merchant services. And yet, 1 in 4 cases of fraud motivates small businesses to switch FIs.
So what are a banker’s options?
1.Educate your client
2.Institute more effective controls
3.Absorb the cost
4.Risk losing the banking relationship (and those of other profitable products)
It won’t be long until the FBI’s next report on business email compromise. By then many more businesses will have been defrauded, undermining the businesses themselves and relationships they have with their FIs. So, what should bankers do? Knowing these facts, the choice is obvious. Bankers need to do the right thing and be the partners that their business banking clients have trusted them to be. There is no other option.