BEC is Getting More Sophisticated, Machine Learning to Detect BEC Fraud is Imperative Now

On April 9, The AFP (Association for Financial Professionals) Payments Fraud and Control Survey Report says, “…fraud committed via BEC has increased by 80 percent, over half of those companies impacted by BEC incurred a financial loss, indicating the perpetrators of these attacks were successful… ACH transactions have also become much more popular as the targeted payment method for BEC scams”.

On July 16, The Financial Crimes Enforcement Network (FinCEN) issued an, “Updated Advisory on Email Compromise Fraud Schemes Targeting Vulnerable Business Processes.” Having seen a recent uptick in the frequency and sophistication of these schemes, the Advisory was issued, “to alert financial institutions to predominant trends in reported business email compromise (BEC) fraud, including key sectors, entities, and vulnerable business processes targeted in many BEC schemes”.

Phishing is a great attack vector for BEC. Industry research holds that 30% of phishing emails are opened by campaign targets, 12% click on the attachments inside those phishing attacks. A very high proportion of security breaches involve a phishing component, and many other attack vectors go hand-in-hand with it such as malware, stolen credentials, and social engineering. According to Verizon’s 2019 Data Breach Report (DBIR), phishing has by far the highest success rate of any threat vector. Spam filters are configured to look for known malware signatures and suspicious key phrases like, “You’ve WON a free cruise,” but a generic message such as “please process this wire transfer request” could easily get past a filter. Lesser-known but reported in DBIR is the fact that click rates are significantly higher when phishing messages (whether email or SMS) are opened on mobile devices. Mobile devices make it difficult to check for authenticity of emails and web pages (e.g., by checking email headers, SSL certificates, …).

Once the email has been compromised, BEC fraud risk indicators are best detected with machine learning and behavioral risk indicators monitoring such as:

  • An unusual amount of wire or funds transfer to an unusual recipient
  • Suspicious time of payment initiation
  • Unusual amount of volume or transactions in the payee account

Guardian Analytics Machine Learning & Behavioral Analytics Fraud Detection solutions have hundreds of fraud risk indicators ranging from Online, Mobile to Wire, ACH ODFI/RDFI, and P2P Zelle that are deployed at numerous financial institutions.
The volume of data that is collected and available to the analytic models makes an important difference in their ability to detect suspect activity. As covered in the FinCEN Advisory, fraudsters have created more sophisticated attacks on business email. They are conducting reconnaissance exercises and getting much better at mimicking legitimate business email activity to gain the trust of victims.

On top of being better at hacking your email, fraudsters have weaponized machine learning (ML) to assist in circumventing rule-based fraud detection systems. These weaponized models discover easily rule-based static thresholds and defeat them automatically. A typical weaponized ML BEC model would start with phishing and perform email account compromise (EAC) to access the credentials and social media accounts to collect the target’s personal information like age, sex, number of LinkedIn connections, and number of followers and posts on Twitter. It’s also possible to buy or obtain vendor invoice data from the Dark Web. All these data elements are fueled into the weaponized ML model that predicts whether an attack would be successful. To make their fraudulent email more believable, attackers often register domain names similar to those of the victims’ companies, which cost very little money.

A weaponized ML model can only be fought with ML and behavioral analytics on both transactional and non-transactional data. As a pioneer in Machine Learning and Behavioral Analytics for Fraud Detection, Guardian Analytics continuously enhances its multi-channel fraud detection model algorithms to fight conventional and weaponized ML fraud schemes. However, the richness of the data provided to the fraud detection solution is key to effectively identifying fraudulent activity early. For example, much of the fraudulent payment activity has been perpetrated through wire transfers. Typically, the data available to evaluate these transactions are related to the wire only. Relying on only that data may be insufficient to identify highly sophisticated fraud activity. The same is true for ACH transactions.

Financial services companies benefit from having a process in place to validate the email address that is the source of the request for funds. For instance, to identify if it has been spoofed. The outcome of this review process must then be contributed to the dataset evaluated by the fraud detection solution. It may likewise be useful to have data related to the date and time of the request, and whether it is in line with or out of pattern with historical requests for payments from the particular requestor. Has the requested payment method changed? For example, if a payment to a particular individual or vendor has always been made by check, and suddenly the payment is requested by wire, this pattern may be indicative of a threat. How the funds are requested to be sent is valuable information in determining potential fraud.

These are just a few examples of how supplemental data can improve the ability to detect anomalous activity. Conventional data is no longer enough on its own to combat the level of sophistication and complexity of many current threats. Financial services organizations need to tap multiple data sources and make additional data elements available to their fraud detection solutions. It is only with the broader view provided by additional data that organizations will gain the full picture of the money movement ecosystem required to fight fraud. Without this full view, the signals may be too weak for a fraud detection system to detect.

The bottom line is that to protect themselves from the escalating threat of business email compromise, bank, and other financial services organizations need to take steps to collect this ancillary data and make it available to their fraud detection solutions. Even one or two additional data points could add tremendous value to behavioral analytics to better identify, flag, and stop suspicious activity.