The FBI’s cyber division has released an important alert to businesses across the United States warning that cybercriminals are impersonating construction companies and using business email compromise (BEC) to defraud businesses that have pre-existing relationships with those construction companies.
How the BEC fraud works
First, cybercriminals use online services to collect information on construction companies and their clients, including project costs and contact information.
Then, they register a domain that closely resembles the construction company’s domain (e.g., changing ABCD Corp. to ABCD Group or ABCD Inc.) and create email accounts attached to the new domain.
Finally, the cybercriminals send fraudulent emails to the construction company’s clients instructing them to update their automated clearing house (ACH) or direct deposit information — thereby redirecting the client’s payments from the legitimate construction company to the cybercriminals.
How to mitigate your risk
It can be difficult for victims to identify fraudulent requests. The cybercriminals tailor the email content using the information they’ve gathered. They use the legitimate construction company’s logo and signature line. And sometimes they even send initial emails to learn more about the victim’s ACH process to make it even easier to get the ACH information updated.
Businesses have also made it easier for cybercriminals to commit fraud. During the COVID-19 pandemic, many businesses have been so focused on simply surviving that they’ve taken on a lot more risk. For example, laying off back-office employees can reduce or even eliminate segregation of duties.
But it is possible to mitigate your business’s risk of falling for BEC fraud, and here are five common ways:
Segregate duties: Analyze your segregation of duties to make sure one employee cannot make ACH/direct deposit changes or run a transaction through the company without a secondary approval.
Use bill pay software: Bill pay software is valuable for a number of reasons, but we’re highlighting it here because it enables you to perform remote approvals, making it much easier to ensure there is always a secondary approval.
Enable positive pay: Positive pay — an automated fraud detection system used by financial institutions — is one of the best methods of stopping counterfeit checks. Just make sure you use four-factor authentication, not two-factor.
Train employees: Educate employees on common fraud schemes, how to recognize the signs and what steps to take.
Have a fraud prevention checkup performed: What risks is your business unknowingly taking? What can you do to reduce the risk of fraud and cybercrime? A fraud prevention checkup will identify risks and how to mitigate them.
Wipfli can help
Many businesses are short-staffed and don’t have the time or personnel to implement the above tips. That’s where Wipfli can help. We not only perform fraud prevention checkups and identify your risks but also have the capabilities to help you close those gaps.
According to the Association of Certified Fraud Examiners, 51 percent of organizations have uncovered more fraud than usual since the beginning of the COVID-19 pandemic. During the pandemic, the FBI saw daily complaints of cybercrime rise by 300 percent. This makes right now the best time to reduce the risks your business is taking. Click here to get started with Wipfli’s fraud prevention checkup.
David Friedman is a partner in the valuation, forensics and litigation services practice of Wipfli. He is based out of the company’s Lincolnshire, Illinois, office.