Financial institutions in the Inland Northwest are sounding the alarm to warn and educate the business community about the latest iteration of scams and frauds targeting companies and their employees. 

Business Email Compromise, commonly referred to as BEC, occurs when cybercriminals attempt to trick employees into sending money or data via email. While the scheme has been around for some time, with the onset and easy availability of artificial intelligence, the scams have grown at a rapid speed, banking leaders say.

Annette Duncan, senior vice president and treasury management director for Banner Bank, says she has noticed a rise in BEC scams that are more sophisticated than the scams of just four to five years ago. The challenge for banks is that the clients' systems are being compromised, rather than a bank's own systems. Consequently, she says, an institution often is limited in how much it can control the damage.

 “Fraudsters are shadowing the customers, or they have infiltrated the client’s systems so they can see the traffic and communication that happens between the customer and their vendors or trading partners,” Duncan says. 

Kelly McPhee, senior vice president of communications for Banner Bank, adds that while banks have safeguards in place, payments to grifters are legitimate actions taken by business clients and are often out of the banks’ control. 

“We put in speed bumps. We ask that you please verify before making a change,” she says. “But at the end of the day, if you instruct us to make a payment, we’re going to do so with absolute precision.”  

Kathryn Albright, executive vice president and head of global payments and deposits at Umpqua Bank, says the financial institution has noticed a consistent and persistent attack from fraudsters to its business and consumer customers. 

Last year, the bank launched a program geared toward the business community titled Safe Success Against Fraud Events, comprised of educational programming through in-person seminars and webinars posted on the company’s website. The bank intends to host in-person seminars in all its major markets, including Spokane, Albright says. 

“Businesses and consumers think, it’s not going to be me, but it’s truly a matter of when, not if,” Albright says. “Frauds, they’ll start with one small attempt, and if they’re successful … they’ll start just launching larger and larger attempts and continue to until they’re stopped.” 

The Internet Crime Complaint Center, a division of the Federal Bureau of Investigation Bureau, states that between 2013 and 2023, BEC scams have resulted in over $55 billion in losses. Between December 2022 and December 2023, there was a 9% increase in losses.  

Dan Hansen, communications director for STCU, points to data from the Association of Financial Professionals, which reported that 71% of businesses reported BEC attempts in 2022. Accounts payable personnel is usually the main target of these attacks, he says.

“Small business proprietors might be particularly vulnerable because they’re doing so many tasks, and taking care of so many things,” Hansen says. “They aren’t necessarily specialists in information security or doing the books. It’s particularly insidious for them to be attacked.” 

Most Common Scams

McPhee says the two most common scams are payment requests and payment account change requests.  

In payment requests, fraudsters will pose as one of the company’s vendors and ask for a payment, often on an invoice that the business has been expecting. 

In payment account change requests, the fraudster poses as someone that the business regularly works with via email and asks to make a payment account detail change, such as an update to payroll information or wire transfer instructions. They then request payment via the updated information. 

Further complicating these scenarios is that fraudsters will often hack into business computer systems and email, and lie in wait until they see an email come through that has something to do with a legitimate vendor of that business and hijack an existing email thread so that it appears legitimate, she says. 

“They (scammers) are taking advantage of how fast we move and how fast the speed of business today is,” McPhee says.  

There are cases in which a business was making payments to a scammer for months without realizing their mistake until the legitimate vendor reaches out to inquire about missed payments, McPhee says. Those businesses still are responsible for paying the legitimate vendor for their work. 

Mark Fox, senior vice president of payments and operations at Numerica, says the credit union hasn’t seen specific cases of direct email hacking with its business members, but rather cases of fraudsters impersonating trusted vendors by spoofing email addresses. 

“We encourage people to train their employees to recognize red flags, such as urgent payment requests, slight email address verifications, or unexpected changes in payment details,” Fox says. 

McPhee says the general rule of thumb is to slow down and verify every time. Other financial institutions' leaders echo this advice. They further share tips for how to handle requests for payment via email, text, or voice message. 

• Do not reply, click any links, or call phone numbers included in the communication. Rather, use known links and phone numbers to communicate with vendors. 
• Don’t make changes without first verifying them with your point of contact. 
• Set up a two-factor authorization in your business that requires two people to sign off on changes to vendor or supplier changes. 
• Never update transaction details from an email. 
• Take time to regularly update your company’s email program and financial software and malware security software installed on computers and servers. 
• Report the incident to the FBI’s Internet Crime Complaint Center 

For business accounts, Umpqua has several tools that it recommends its customers implement, Albright says.

Positive Pay automatically compares outgoing checks against an authorized list and ensures that only the checks you have authorized are paid, she says. Payee Positive Pay is a tool that is used when a payee presents a check for payment, and the bank compares it against an approved list of checks issued that day.

In addition, a banker will check the serial numbers, amount, and date. This process helps to protect against check washing, where a fraudster erases or “washes” the name of the payee from the check, replaces it with their name, which they then deposit into their fraudulent account. 

Above all, Albright says her motto to customers is, if you see something, do something. 

“Pick up the phone, call your bank, and let them know you have an issue,” Albright says. “It’s never too early. Even if you think it’s not a fraud attempt, or you think maybe it is and you don’t want to look silly­­–nothing is too silly. We’ve seen it all.” 

Duncan, of Banner Bank, echoes this advice. She notes the bank has a call center trained on all of the bank’s treasury management products and services, which clients can access at any time they want, with no additional charge.   

“This is not something that the average client can probably spot on their own,” Duncan says. “A lot of these have moved beyond the ability to visually detect or understand where the threat is coming from.”