On April 14, 2016, the U.S. Attorney for the Southern District of New York filed a civil forfeiture action seeking to recover nearly $100 million stolen from an unidentified U.S. company through a form of wire fraud or Automated Clearing House (“ACH”) fraud.

According to the complaint filed in Manhattan federal court, the perpetrators created a fake email address and posed as one of the victim’s legitimate vendors. Through this email “spoof,” the victimized company transferred $98.9 million intended for the vendor into an account at Eurobank Cyprus, Ltd. The funds were then redirected to various accounts controlled by the perpetrators throughout the world. But officials at Eurobank Cyprus Ltd. quickly detected a problem and prevented nearly $75 million from being transferred into the perpetrators’ accounts, and most of the remaining funds have been frozen in accounts throughout the world. The case is U.S. v. Certain Funds on Deposit in Various Accounts Detailed Herein, and All Funds Traceable Thereto, case number 1:16-cv-02800 (S.D.N.Y.).

As we previously noted, cybercrime targeting financial transactions is nothing new. But this case is a stark reminder of the increasing prevalence of business e-mail fraud and ACH fraud generally. On April 4, 2016, the FBI issued a warning of “a dramatic rise in the business e-mail compromise scam or “B.E.C.,” a scheme that targets businesses and has resulted in massive financial losses . . . .” The FBI noted that perpetrators of this variant of fraud will go to great lengths to spoof company or customer e-mail or use social engineering to facilitate fraudulent wire transfers to foreign accounts.

The FBI recommends that businesses take several precautions to guard against this type of wire fraud, including:

  • Exercise caution with e-mail-only wire transfer and other “urgent” financial requests
  • Verify such request with legitimate business partners verbally at an established telephone number of record
  • Be cautious of mimicked or spoofed e-mail addresses
  • Practice multi-level authentication
  • Closely monitor and frequently reconcile account balances
  • Use strong passwords and change them often
  • Restrict access to computers used for ACH transactions and limit the number of employees authorized to engage in such transactions
  • Regularly update computer networks, firewalls and anti-virus software