We recently brought you the cautionary tale of a company employee who was tricked by a hacker, via a spoofed email, into effectuating wire transfers of large sums of money (known as Business Email Compromise (“BEC”) or Email Account Compromise (“EAC”) fraud), with the resulting loss not being covered under traditional insurance coverage (crime or computer fraud). If organizations need any more incentive to take BEC seriously, in a May 4, 2017 Alert (I-050417-PSA), the FBI noted that identified expected losses from BEC phishing scams have grown 2,370% over the past two 2 years. And unfortunately, no slowdown is in sight.
A BEC scheme involves a hacker impersonating an executive, employee or associate of a targeted organization in order to dupe an employee into executing wire transfers or compromising organizational data. As noted by the FBI Alert, the hackers monitor and study their selected victims using social engineering techniques prior to initiating the BEC scam, and are able to accurately identify the individuals and protocols necessary to perform wire transfers within a specific business environment. Victims may also first receive “phishing” e-mails requesting additional details regarding the business or individual being targeted (name, travel dates, etc.).
According to the FBI Alert, fraudulent wire transfers resulting from successful phishing attempts have grown 2,370% over the past two years. In addition, there were more than 40,000 global incidents recorded between October 2013 and December 2016, resulting in more than $5.3 billion in expected losses. 22,292 of those incidents occurred in the United States, resulting in more than $1.5 billion in expected losses. The FBI Alert also warned that attacks are continuing to grow and evolve, and target businesses of all sizes. As we have stressed in the past, there is no business that is immune from being a BEC target, and all businesses and their employees should be aware of the threat posed by these schemes. In particular, the FBI Alert notes five main types of BEC schemes that are in circulation:
Business Working with a Foreign Supplier
A business that typically has a longstanding relationship with a supplier is requested to wire funds for an invoice payment to an alternate, fraudulent account. The request may be made via telephone, facsimile, or e-mail. If an e-mail is received, the subject will spoof the e-mail request so it appears similar to a legitimate request. Likewise, requests made via facsimile or telephone call will closely mimic a legitimate request. This particular scenario has also been referred to as the “Bogus Invoice Scheme,” “Supplier Swindle,” and “Invoice Modification Scheme.”
Business Executive Receiving or Initiating a Request for a Wire Transfer
The e-mail accounts of high-level business executives (Chief Financial Officer, Chief Technology Officer, etc.) are compromised. The account may be spoofed or hacked. A request for a wire transfer from the compromised account is made to a second employee within the company who is typically responsible for processing these requests. In some instances, a request for a wire transfer from the compromised account is sent directly to the financial institution with instructions to urgently send funds to bank “X” for reason “Y.” This particular scenario has been referred to as “CEO Fraud,” “Business Executive Scam,” “Masquerading,” and “Financial Industry Wire Frauds.”
Business Contacts Receiving Fraudulent Correspondence through Compromised E-mail
An employee of a business has his or her personal e-mail hacked. This personal e-mail may be used for both personal and business communications. Requests for invoice payments to fraudster-controlled bank accounts are sent from this employee’s personal e-mail to multiple vendors identified from this employee’s contact list. The business may not become aware of the fraudulent requests until that business is contacted by a vendor to follow up on the status of an invoice payment.
Business Executive and Attorney Impersonation
Victims report being contacted by fraudsters who typically identify themselves as lawyers or representatives of law firms and claim to be handling confidential or time-sensitive matters. This contact may be made via either phone or e-mail. Victims may be pressured by the fraudster to act quickly or secretly in handling the transfer of funds. This type of BEC scam may occur at the end of the business day or work week and be timed to coincide with the close of business of international financial institutions.
Data Theft
Fraudulent requests are sent utilizing a business executive’s compromised e-mail. The entities in the business organization responsible for W-2s or maintaining PII, such as the human resources department, bookkeeping, or auditing section, have frequently been identified as the targeted recipients of the fraudulent request for W-2 and/or PII. Some of these incidents are isolated and some occur prior to a fraudulent wire transfer request. Victims report they have fallen for this new BEC scenario even if they were able to successfully identify and avoid the traditional BEC scam. This data theft scenario of the BEC scam first appeared just prior to the 2016 tax season.
The FBI Alert correctly notes that businesses with an increased awareness and understanding of BEC scams are more likely to recognize when they have been targeted, and are therefore more likely to avoid falling victim and sending fraudulent payments. Businesses that deploy robust internal prevention techniques at all levels (especially for front line employees who may be the recipients of initial phishing attempts) have proven highly successful in recognizing and deflecting BEC attempts. The FBI Alert also offered some self-protection strategies, which include the following (additional tips are offered in the Alert):
- Avoid free web-based e-mail accounts: Establish a company domain name and use it to establish company e-mail accounts in lieu of free, web-based accounts.
- Be careful what you post to social media and company websites, especially job duties and descriptions, hierarchal information, and out-of-office details.
- Be suspicious of requests for secrecy or pressure to take action quickly.
- Immediately report and delete unsolicited e-mail (spam) from unknown parties. DO NOT open spam e-mail, click on links in the e-mail, or open attachments. These often contain malware that will give subjects access to your computer system.
- Do not use the “Reply” option to respond to any business e-mails. Instead, use the “Forward” option and either type in the correct e-mail address or select it from the e-mail address book to ensure the intended recipient’s correct e-mail address is used.
- Beware of sudden changes in business practices. For example, if a current business contact suddenly asks to be contacted via their personal e-mail address when all previous official correspondence has been through company e-mail, the request could be fraudulent. Always verify via other channels that you are still communicating with your legitimate business partner.
- Confirm requests for transfers of funds. When using phone verification as part of two-factor authentication, use previously known numbers, not the numbers provided in the e-mail request.
- Know the habits of your customers, including the details of, reasons behind, and amount of payments.
- Carefully scrutinize all e-mail requests for transfers of funds to determine if the requests are out of the ordinary.
At the end of the day, there is only one way for an organization to ensure that it doesn’t fall victim to a BEC scheme, and that is for it not to use email. Since that of course is not a viable option for virtually any business, the next-best thing is continuous employee training and education, including the suggestions set forth in the FBI Alert. And of course, should an organization fall victim to such a scam, it should make sure that it has an incident response plan in place so that it can respond effectively and efficiently. We also remind all organizations, big and small, to evaluate all of their policies of insurance and ensure that they have sufficient coverage for the current and evolving threats posed by BEC, as well as other cyber risks.