Phishing, BEC, and check fraud: The top fraud trends in 2023
These are the top cybersecurity and fraud trends affecting businesses in 2023. Here’s how to help protect your organization.
Threat actors have been busy so far this year turning inboxes and mailboxes into fraud minefields. While phishing scams and check fraud have been around for years, the sharp rise in these fraud attempts highlights the need for organizations to remain vigilant and consider strengthening defenses to protect themselves against costly breaches.
This article covers the top three cybersecurity and fraud trends Huntington’s Corporate Investigations and Cybersecurity teams are seeing in 2023. We’ll also offer tips for helping protect against these attempts to keep your organization safer.
Fraudsters are still going phishing to snare victims
Phishing is a form of social engineering used to harvest sensitive information, from which they can determine how to further exploit the victims. Cybercriminals exploit our inherent helpfulness and trustworthiness through these types of fraud attempts, which is why they’re so successful.
Most people are aware of phishing scams – we’ve heard about them on the news, social media, and cybersecurity training. Despite this awareness, a 2022 Verizon report found that 82% of reported breaches involve the human element†. Additionally, though the report found that just 2.9% of phishing emails were clicked on, these breaches could lead to more than 33 million accounts being compromised‡.
The financial consequence of a successful data breach is another reason phishing can be so dangerous. Data breaches resulting from successful phishing attempts averaged $4.91 million globally in 2022§, making it one of the most expensive forms of fraud.
"Phishing attacks might not be top of mind for everybody, but any company engaging in online payments with vendors or other groups could become a target. We’ve seen these attacks happen from small mom-and-pop businesses to massive corporations."
Corporate Investigations Director at Huntington
Think before you click to help avoid phishing scams:
- Never click links or open attachments from unknown senders or suspicious emails.
- Hover over URLs in emails to check the link before clicking on it.
- Don’t assume a branded email is safe – fraudsters can mimic logos.
- Watch out for urgent, demanding, or threatening requests.
- Check for brand indicators for message identification (BIMI), which indicate an email is validated and trusted.
- Develop a robust data recovery and protection plan to minimize the damage of a breach.
Business email compromise is costing companies big money
There’s a reason why the FBI says business email compromise (BEC) is one of the costliest forms of cyberattacks¶.
"The latest report from the Internet Crime Complaint Center puts adjusted losses related to BEC in 2022 at almost $2.7 billion≠. Business email compromise can be incredibly lucrative, which is one reason it will remain an ongoing threat in 2023."
Cybersecurity Outreach Director at Huntington
BEC is a form of phishing that targets employees by impersonating vendors or leadership members and requesting employees take some financial action. Victims of BEC might find themselves on the receiving end of a seemingly innocent email from a vendor asking them to update bank account information or submit an invoice to a new entity. The fraudster might have compromised the vendor’s email account or, more likely, have made minor, easy-to-miss adjustments to the known email address.
Often, because the business originated the payment, these funds result in a loss that can only sometimes be recovered. When compromised, an organization’s best chance to remedy a potentially devastating situation is to act fast.
“Time is a significant factor in these situations,” says Smart. “The first response should be to contact your bank. Then, submit a report through the FBI’s Internet Crime Complaint Center as soon as possible. Their recovery team can issue seizure warrants and lock down funds.”
Employee training and an incident response and data recovery plan can increase your chances of catching a BEC attempt before it’s too late.
“An incident response plan helps you develop a process for how to triage and remediate cyber events like business email compromise. The goal is to contain an incident before it ‘graduates’ into a disaster,” explains Buening.
Verify requests and act fast to help protect against BEC:
- Call vendor contacts or people within your organization at a known or confirmed number to verify any request to change invoicing or financial information, send payments to an unknown destination, or purchase gift cards.
- Be suspicious of changes in business practice, such as a known contact requesting you email them via a personal email address.
- Avoid responding quickly when an email requests you take urgent action.
- If you are a victim of business email compromise, immediately contact your bank and submit a claim to the FBI’s Internet Crime Complaint Center.
Check fraud is on the rise – again
What’s old is new again as we look ahead to the rest of 2023. Despite predictions just a few years ago that check use would dwindle into nonexistence, individuals, businesses, and government entities continue to rely on checks. Cybercriminals have taken advantage of this fact in recent years, as evidenced by check fraud doubling in 2022Ɫ. The financial ramifications of check fraud can be overwhelming: Check fraud is predicted to lead to $24 billion in damages in 2023Ⱡ.
“This has become a rampant problem across the country,” says Smart. “There are collusive U.S. postal workers stealing mail and selling it. We’ve also seen postal workers robbed at gunpoint for their skeleton keys.”
Those keys, which open those ubiquitous blue USPS mailboxes on street corners, are so valuable they’ve been seen sold online for as much as $3,000 in bitcoinÕ. Fraudsters with these keys can easily sort through mail and steal checks from the U.S. mail stream. They then chemically wash portions of the check, rewrite the payee line, and adjust the dollar amount.
Much like phishing scammers, bad actors committing check fraud rarely work alone. A black market has even emerged for stolen checks.
“People are recruited through social media to deposit the checks into their accounts and send the funds back to the recruiter through Cash App or other payment methods,” says Smart. “The incentive is the people recruited get to keep a portion of the funds for themselves.”
While banks are required to return fraudulent funds in the case of check fraud, there is no set timeline for them to do so. Smart says claims can drag on, leading customers to be without their funds for months.
Stay one step ahead of check fraudsters:
- Leverage electronic payments whenever possible.
- Consider sending checks through UPS-certified mail or another tracked mail system.
- Bring checks to a post office instead of putting them in an outgoing mailbox.
- Depending on your bank, use available security measures to review checks and approve or decline them to help catch fraud early.
- Separate employee fiduciary duties within your organization, so the person writing the checks isn’t also responsible for cashing them and reconciling accounts.
Keep cybersecurity & fraud prevention top of mind in 2023
The threat landscape is ever evolving, and how organizations can best protect themselves is constantly shifting. Despite the specific threats looming on the horizon, it is essential to remember that an overall cybersecurity and fraud prevention strategy should be a priority for organizations of every size. Huntington can support you with the insights, resources, and expertise you need to grow and strengthen your organization. Contact your relationship manager to start the conversation.
† Verizon. 2022. “2022 Data Breach Investigations Report.” Accessed February 15, 2022.
§ IBM. 2022. “2022 Cost of a Data Breach.” Accessed April 17, 2023.
¶ Federal Bureau of Investigation. n.d. “Business Email Compromise.” Accessed April 17, 2023.
≠ Federal Bureau of Investigation Internet Crime Complaint Center. 2023. “Internet Crime Report 2022.” Accessed April 17, 2023.
Ɫ McKenna, Frank. 2023. “Dawn of the ShapeShifter: 10 Fraud Predictions for 2023.” Frank on Fraud. January 2, 2023.
Õ McKenna, Frank. 2022. “Check Fraud is Booming Again in a Post-Pandemic U.S.” Frank on Fraud. February 14, 2022.
The information provided in this document is intended solely for general informational purposes and is provided with the understanding that neither Huntington, its affiliates nor any other party is engaging in rendering tax, financial, legal, technical or other professional advice or services or endorsing any third-party product or service. Any use of this information should be done only in consultation with a qualified and licensed professional who can take into account all relevant factors and desired outcomes in the context of the facts surrounding your particular circumstances. The information in this document was developed with reasonable care and attention. However, it is possible that some of the information is incomplete, incorrect, or inapplicable to particular circumstances or conditions. NEITHER HUNTINGTON NOR ITS AFFILIATES SHALL BE LIABLE FOR ANY DAMAGES, LOSSES, COSTS OR EXPENSES (DIRECT, CONSEQUENTIAL, SPECIAL, INDIRECT OR OTHERWISE) RESULTING FROM USING, RELYING ON OR ACTING UPON INFORMATION IN THIS DOCUMENT OR THIRD-PARTY RESOURCES IDENTIFIED IN THIS DOCUMENT EVEN IF HUNTINGTON AND/OR ITS AFFILIATES HAVE BEEN ADVISED OF OR FORESEEN THE POSSIBILITY OF SUCH DAMAGES, LOSSES, COSTS OR EXPENSES.
Lending and leasing products and services, as well as certain other banking products and services, may require credit application approval.
Third-party product, service and business names are trademarks/service marks of their respective owners.