After a long weekend, Finance Manager Joe sits at his desk to read his emails. One of the emails is from a trusted vendor with whom the Joe communicates on a regular basis, regarding an unpaid invoice that is due immediately. The vendor tells Joe that he was having “issues” with his bank and recently changed accounts. The vendor provides instructions for Joe to wire funds. As this is a known partner with whom the company has a good relationship, Joe wires the amount due. Two weeks later, the vendor contacts Joe to let him know that the invoice has not been paid. In a panic, Joe reads the emails he received and observes that one letter in the vendor’s original email address is different from the vendor’s legitimate email address. Joe calls the bank in a panic but is advised that the money has been withdrawn and that his company’s account has a balance of $0.00.
Joe is a victim of a Business Email Compromise and, although fraudsters use many tactics to complete a BEC, the basic formula is the same: get an employee to send funds and then withdraw all of the funds before someone realizes it’s a scam. According to a report by the Federal Bureau of Investigation, cyber criminals use BECs as one of the main attack vectors to obtain thousands – and in some cases, millions – of dollars from unsuspecting victims. Additionally, the Federal Trade Commission recently released data showing that consumers reported losing more than $12.5 billion in 2024 due to fraud. Most of the losses were due to investment scams, but $2.95 billion was reported lost from imposter scams, including BECs.
Because most of these fraudsters open bank accounts to receive the funds, do banks bear some of the blame?
KYC regulations
In response to the attacks on September 11, 2001, the USA PATRIOT Act was enacted to expand the powers of law enforcement and intelligence agencies to combat terrorism. The Patriot Act introduced Know Your Customer regulations, which provide guidelines for financial institutions to know more about their customers. All banks in the United States must comply with these regulations, which are intended to help financial institutions maintain accurate information about their clients and minimize risk. KYC regulations have five main components:
- Customer Identification Program. Verifying the identity of customers using personal or corporate identification documents.
- Customer Due Diligence. Assessing the risk profiles of customers applying appropriate measures based on their risk level.
- Enhanced Due Diligence. Applying additional scrutiny for high-risk customers to mitigate potential risks.
- Customer Acceptance Policy. Establishing guidelines for onboarding customers.
- Ongoing Transaction Monitoring. Continuously monitoring customer transactions to detect suspicious activities.
In 2018, the Financial Crimes Enforcement Network established the Customer Due Diligence rule. The rule not only requires banks to identify and verify the identities of customers but also to verify beneficial ownership – in other words, to know who is ultimately “benefiting” from the funds in the account. The CDD rule does not provide specifics regarding the monitoring expectation, but FinCEN requires banks to monitor for suspicious activity by adopting and enforcing a risk-based approach.
What does this mean for banks?
Banks have historically been protected by the Electronic Fund Transfer Act of 1978 and Section 4A of the Uniform Commercial Code. The EFTA requires banks to reimburse victims for “incorrect” transfers, but the victims are required to notify the banks almost immediately.
This presents a problem for victims, who in many cases do not discover the fraud until days, or even weeks, later. However, there are recent indications that lawmakers may be starting to side with the victims.
If a BEC is not the bank’s fault and not the victim’s fault, how does one protect against this type of fraud? Believe it or not, human interaction is the key to recognizing accounts that are opened for nefarious purposes. Bank employees must validate and confirm the Customer Identification Program information and physical address and, for businesses, validate and understand the business’s relationship with the bank. Bank employees must also have triggers for knowing when to exercise enhanced due diligence and to ask the right questions – is this a legitimate business, is this a real person, and can this information be validated? Questions should be tailored to the circumstances of the case.
In the meantime, training, constant reminders to exercise vigilance, and periodic risk assessments are the best way to protect against BECs.
The Constangy Cyber Team helps businesses of all sizes and industries develop comprehensive incident response plans and provides support during a breach. We are here to help! Contact us 24/7 at breachresponse@constangy.com or by phone at 877-DTA-BRCH.
Senior CounselAs a former Secret Service Supervisory Special Agent, Kim brings unique insights to the Constangy rapid response team. She assists clients in responding to a variety of types of cyber attacks, including wire fraud, business email ...
PartnerHe brings over ten years of combined incident response and risk management experience to his role on our Rapid Response Team. During the seven years prior to joining the Constangy Cyber Team, Matt worked at a boutique incident ...
The Constangy Cyber Advisor posts regular updates on legislative developments, data privacy, and information security trends. Our blog posts are informed through the Constangy Cyber Team's experience managing thousands of data breaches, providing robust compliance advisory services, and consultation on complex data privacy and security litigation.
