Business Email Compromise (BEC) scams are a genuine and growing threat to your business. But don't just take our word for it - in 2022, the FBI issued a public service announcement warning revealing that the crime has risen 65% in recent years and is getting more prevalent month-on-month.
And here is why it's growing like wildfire: In the cybercrime underworld, it's a scam with a higher-than-average success rate when compared to other online crimes.
So, as a SAP user, wouldn't it make sense to bolster your company's defenses against such a formidable menace? Of course it would. And here is the good news - help is at hand. This VOQUZ Labs article reveals more about BEC scams, how they work with a real-life example, and what your company can do within SAP to avoid becoming a victim.
A BEC scammer emails companies requesting them to pay a fake invoice or bill. But obviously, it's not as simple as that. Why? Companies have systems to ensure financial transactions' accuracy and legitimacy.
So how do BEC scammers circumvent internal systems and controls?
From social engineering techniques to graphic design mastery, their box of nefarious tricks makes them a competent foe that demands attention.
Here are a few of them:
We could dig deeper into the techniques - but you get the gist. The bottom line and critical takeaway is this:
BEC scammers use the above techniques to trick employees into entering new bank details controlled by the scammers into their accounts payable systems (such as in SAP) - and then paying them. This process is also known as a type of phishing attack.
remQ is a continuous monitoring software for SAP ERP and S/4HANA, with a large library of built-in controls that help check master data and business processes to avoid financial losses through errors and fraud. remQ can be set up in less than a day, works regardless of organization size and industry, requires no consulting project, and reduces the cost of compliance through automation.
Now that we understand the BEC scam's modus operandi, let's look at a well-known example that hit the headlines. In August 2015, US technology firm Ubiquiti submitted a report to the US Securities and Exchange Commission, disclosing that it had fallen prey to a "criminal fraud" totaling $46.7 million.
So what happened?
To cut to the chase, scammers impersonated employees at a third-party company and targeted Ubiquiti's finance department. This type of BEC scam is known as Vendor Email Compromise (VEC). Few details were released publicly. But the fraudsters likely compiled a list of Ubiquiti vendors - for example, through researching publicly available information - and worked off that data.
Ultimately, the following happened:
Now that we understand how BEC scams operate and the threat they pose to your organization, we'll now reveal how to fortify your defenses within SAP.
The following fact is a critical facet of a BEC scam: New bank account details belonging to cyber criminals are added or altered within a company's financial systems.
And one of the most effective ways to halt a BEC phishing attack in your company's SAP ERP or S/4HANA environment is to embrace automated internal controls systems, such as remQ by Voquz Labs. A tremendous benefit is that the technology, in almost real-time, creates red-flag alerts when payment details are added and changed.
What does this mean in practical terms?
It means that instead of new payment details (possibly belonging to scammers) slipping under the radar, finance and internal controls teams are immediately alerted, allowing them to investigate and take action if necessary.
For example, remQ (an easy-to-install SAP add-on) can even be customized so vendors are automatically blocked if changes are made close to a payment run - a red-flag event. In this scenario, an employee can then take a closer look at the issue, for example, by contacting the vendor directly to assess if everything is legitimate.
Our White Paper explains how using robust controls and automation, organizations can better manage fraud risks, comply with regulations, improve operational efficiency, and save substantial costs.
BEC scams pose a real and increasing threat to businesses. As we now know, the crime is surging - especially because cybercriminals are attracted to the high success rate.
But this high success rate doesn't have to apply to your company.
If your business uses SAP ERP or S/4HANA, you have an opportunity to halt BEC scammers in their tracks. VOQUZ Labs remQ Business Inspector software operates as a SAP add-on with a library of 100+ pre-built shipped controls ready to run. You can click here to learn more about how remQ can assist. We would also be delighted to answer any questions you have - contact us.
Recommended reading: Enjoyed this article? Now read: The Growing Threat of Invoice Fraud: How To Prevent It Within SAP
Paul is a RegTech content writer & strategist with extensive experience in digital marketing and journalism. His work has appeared in the Guardian newspaper. He also holds a degree in International Relations, where he studied global sanctions compliance and cross-border finance.
Do you have any questions or something to add? Just leave us a message, please! Your message will be delivered by e-mail to us and will not be published.