An increasing number of businesses continue to be targeted by very sophisticated email scams designed to convince company employees responsible for executing financial transactions to wire funds to overseas accounts controlled by perpetrators of the scam.
US$215 million in losses and counting
The FBI’s Internet Crime Complaint Center (IC3) reported that, from Oct. 1, 2013 to Dec. 1, 2014, Business E-mail Compromise (BEC) scams claimed over 2,000 individual victims and generated losses of nearly US$215 million in the United States. US$179.7 million of which was fleeced from nearly 1,200 victims using the BEC tactic in just three months from Oct. to Dec. 2014.
In addition to victims in the U.S., the FBI has documented nearly 1,000 non-U.S. victims in 45 countries associated with wire transfer fraud scams, with wire funds reportedly being sent primarily to Asian banks located in China and Hong Kong.
Understand email scams and educate key employees
Owners and employees of businesses that work with foreign suppliers need to be on the lookout for email scams that attempt to trick businesses into making fraudulent wire transfers. Employees need to be made aware that phishers not only play on the similarity of domains (read our previous QuickStudy on Wire Transfer Fraud), but also prey on the eagerness of most employees to please. BEC scams are crafted to be sophisticated.
- Fraudsters secure an internet domain name that is visually very similar to the domain name of the target company or of the target’s real suppliers.
- Scammers will research publicly available information about the target company looking for the names of senior financial officers and employees, especially chief financial officers and comptrollers
- Fraudsters will use what hackers call “social engineering” to secure the name and legitimate email address of a target company employee who is responsible for making large wire transfers.
The key element of this type of attack is – simply – “doing your job.” When the CEO or CFO tells you to do something, you do it, with employees believing they were acting on the wishes of executives who had communicated through e-mail (or phony vendor by emails) to transfer funds, not realizing they were making fraudulent wire transfers. Once a business owner or other employee is tricked into making a wire transfer to a foreign bank, the criminals transfer the funds into a global money-laundering network.
Victim organizations vary in size from small family-run businesses with a few employees all the way up to large enterprises, and those that fall for such scams often lack strong internal controls. Banks and enforcement agencies continue to attempt to recover funds where cases involve legitimate employee names with fake email aliases.
Protect against a wire transfer scam
While anti-spam and anti-phishing technology does spot attacks, criminals have improved at spoofing email messages, with the targeted nature of the request typically getting the bogus messages past spam filters.
Organizations need to ensure employees are aware that fraudulent email requests for a wire transfer are well-worded, well-planned and believable; are based on detailed information specific to the business being victimized; and do not raise suspicions to the legitimacy of the request. Criminals research and monitor their selected victims prior to sending out a phishing email and identify and target employees that have the access necessary to perform wire transfers within the business.
Train employees to recognize red flags, including requests that:
- the employee act very quickly on a financial transaction.
- the employee keep the transaction strictly confidential.
- are made at unusual times and for payments to accounts to which money has not previously been sent.
Practical counter-BEC advice
Prevention is key – recommendations for organizations to avoid BEC type wire transfer scams include:
- Asking your IT department to configure email to reveal the full address of the sender and recipients in the thread. Often this helps identify suspicious addresses or unusual use of personal accounts by one of your executives.
- If your organization never handles transfers based on email, immediately contact the sender (your CEO or CFO) and verify the details with them in person or over the phone.
- By researching and monitoring victims, perpetrators often have a goal of sending fraudulent emails when the executive is traveling and not easily reached for verification. If the executive in question is out of town, and especially if the transfer is directed to an account you’ve never done business with before, do not execute the transfer until you get a clear response from the supposed issuer via phone.
- Scammers will want you to keep this under wraps; it’s part of their tactics. Report the matter to your CEO, CFO and the accounting department, all of whom will need to know about the scam either way.
Time is of the essence
Fraudulent requests are not only for millions of dollars, they can just as often be for smaller amounts; dollar amounts for the requested transfers are typical for the particular business. Once funds have been wired, recovering the stolen funds may be possible if the scam is detected within the first 24 to 48 hours, and often only with the help of law enforcement.
If you suspect you have been scammed by BEC emails:
- Report the matter to law enforcement immediately.
- Also contact both your financial institution and the receiving financial institution to request they stop or unwind the transfer.
- Seek advice from legal counsel about:
- Steps you can take to recover the stolen funds
- Legal obligations or protections you may have related to this situation, such as potential insurance coverage for any loss
- Change your controls to minimize the risk of something similar occurring again:
- IT controls that keep the scammer out of the system
- Purchasing controls that validate changes in vendor payment information or the setup of new vendors
- Treasury controls that require multiple approvals of wire transfers
- Educate employees about the scam so they can remain vigilant; tell them how it was perpetrated and that they can be a gateway for the scammer.