Foiling BEC Fraud With Better Distributed Processes

Some of my previous posts have discussed how work is changing due to the remote work trend, initially driven by the pandemic but likely to continue for types of work that can be performed just as effectively while remote. It’s essential, however, to consider how business processes change when the participants in a process may be distributed across multiple physical locations: it’s not just a matter of routing work to the right person in a way that they can access from their home office, but there may need to be entirely new checks and balances added to processes to account for the lack of face-to-face contact.

A use case to illustrate this is “business email compromise” (BEC) fraud, where an executive’s email account is compromised, then used to send instructions to their own finance team to wire funds outside the company to the fraudster’s account. Because the email comes from the legitimate account of a known executive, Finance performs the requested action; even a “second set of eyes” on the unusual transaction by another finance person would consider the executive’s email as proof that the request is legitimate. In pre-pandemic times, a senior finance person might meet with the executive to confirm or discuss the request, but when everyone is working remotely – and possibly on different schedules – the face-to-face step may be skipped, especially if the request is marked as urgent. Another example is when an employee’s email is compromised, then used to send an email to Payroll requesting a change in their direct deposit information to the fraudster’s bank account. Or a supplier’s email is compromised, and used to send a request to Accounts Payable to change their banking information for future payments. These frauds will be discovered fairly quickly, but a company may first lose a significant amount of money: in 2019, INTERPOL estimated that over $1 billion had been lost to BEC fraud in the previous year. This amount will only increase with a greater number of distributed processes where email requests replace face-to-face communication.

I’m not a security expert, which means that I’m not going to discuss the ways in which email accounts can be compromised for this type of fraud. However, I am a process expert, and have a few opinions on how you can redesign processes to detect and counteract it when it’s happening.

Processes with distributed participants need to be redesigned to incorporate a type of human multi-factor authentication for unusual requests: if there is a request that falls outside normal operating procedures and rules, a second type of communication is required to confirm the request. That doesn’t mean a second email, since email could be compromised, but a different mode altogether. Another electronic means, such as a non-email collaboration platform or a text message, could be considered, but if there is a risk that someone’s email has been compromised, their entire computer may have been compromised along with access to all applications. In that case, if face-to-face communication is not possible, a personal connection should be made via telephone or video conference for confirmation.

Foiling this type of fraud requires a good understanding of the following:

• The standard processes used to service these requests, including the usual channels and originators for the requests.
• The standard rules for approving these requests, including approval limits.
• If two parts of the process ran in parallel, how would that impact the end-to-end cycle time?
• Any expected deviations from the standard processes and rules for special cases. My previous post on process mining and other data-driven techniques for process analysis can help you to find the allowable deviations in your own processes, and filter out just the true “unusual” cases that require a second look.

Let’s look at the before and after of a wire transfer request process. In its simplest form, the “before” version of the process shows the actions within Finance: they receive a request and complete the wire transfer as instructed, with a diversion for approval by a senior finance person if the amount exceeds a pre-set limit. Often, there are no other rules applied: if the CEO (for example) requests a wire transfer, it is executed as requested.

Fixing this process requires applying rules to the request in a standardized fashion, then requiring a second form of request authentication if the request violates one or more of the rules.

This is a relatively small change to the process, but there are two significant hurdles to overcome.

First, the rules for “usual” versus “unusual” requests need to be well-understood. This will include where the requests originate, the amount, the recipient and even the urgency of the requests. If, for example, the CEO requests a large wire transfer on a Friday afternoon, to be sent to one of the company’s subsidiaries that often receives transfers, and needs it done in the next 30 minutes, it’s probably going to pass the rules. However, if the CEO requests a large, urgent transfer to a previously-unknown recipient, it will fail the rules and require validation. These rules are specific to each company, and need to be agreed upon between the executives and (in the same of wire transfers and other financial transactions), both internal Finance and external auditors. It would also be a good idea to involve Information Security to review the rules, since they may offer insights into variations on BEC fraud.

Secondly, there’s a personal element required for the validation of unusual requests via a different communication channel. All parties need to agree on the accepted methods for this, so that a junior finance clerk doesn’t feel too intimidated to call the CEO and validate the request. Information Security should also be involved in deciding on these channels, since they can provide advice on what other channels may have been compromised in the event of an email compromise. Voice/video communication with the requester is always the safest option, but may not always be possible.

Many organizations that were already working in multiple locations have processes like this in place to guard against fraud. With the current pandemic, now almost every organization has the need to consider the new checks and balances in their processes when face-to-face contact is removed from their daily operations.