Business Email Compromise (BEC)

It all started with Phishing, where attackers use email to try to compromise ID's and passwords, install malware in your environment, etc.  The Anti Phishing Working Group was created in the early 2000's to try and stem the tide.   Unfortunately, it has only gotten worse: Phishing has moved from consumers to businesses.  Those B2B Phishing emails - now referred to as Business Email Compromise (BEC) - have led to massive amounts of financial fraud.   The FBI has dedicated a significant amount of resources to try and fight this threat.  

Besides the risk of fraud, there is also significant operational risk with payments, as recent events at Citi has shown.  

Our Assessment

Our approach to combat BEC is simple: we do an end to end review of both technology and operational processes around the movement of money and document areas of improvement.  

This assessment involves the following:

  • Identifying departments that manage a significant amount of money, usually the Treasury department.
  • Documenting all workflows and interactions involving the exchange of money: inputs, applications, existing controls, etc. 
  • Based on our experience and events in the news, identify areas of improvement.  These could include better controls on external email, 'creator / approver' controls for high risk activities, call backs, etc.
  • Provide a prioritized action plan, timeline and budget to implement the recommendations.   

The resulting deliverable will provide a roadmap to minimize the risk of the firm being impacted by wire fraud and Business Email Compromise.