Members of the Financial Services Information Sharing and Analysis Center, as well as federal law enforcement agencies, continue to report an increase in wire transfer fraud against U.S. businesses through a scam referred to as “Business Email Compromise” (BEC).
Attacks target key execs’ emails
BEC fraud involves the compromise of legitimate business email accounts for conducting unauthorized wire transfers. After a business email account is compromised, criminals use the compromised account or a spoofed account to send wire transfer instructions. The funds are primarily sent to Asia, but funds have also been sent to other countries all over the world.
Most of the BEC incidents involve the compromise of an email account belonging to a business’s CEO/CFO, in order to send an email to an employee with the ability to conduct wire transfers.
Additionally, other incidents involve the compromise of a vendor or supplier’s email account with the intention of modifying the bank account associated with that firm. The latter scheme may also be labeled as vendor fraud and involves a last-minute change of the bank and account number for future payments.
In most cases, after the actors compromise the legitimate business email accounts through social engineering or malware, they conduct reconnaissance to review the business’s legitimate email communications and travel schedules. [See “You are the weakest link”]
In some instances, criminals have auto-forwarded emails received by the victim to an email account under their control. This reconnaissance stage lasts until the crook feels comfortable enough to send wire transfer instructions using either the victim’s email or a spoofed email account that is controlled by the fraud. The difference in the spoofed email account is very subtle and can easily be mistaken for the legitimate business e-mail address.
The following is based on FS-ISAC’s warning bulletin advice:
The criminals use multiple methods to ensure their email communications are successful. In some instances, criminals have created rules using the compromised business email account to send all communications associated with their activity to the trash folder or to a hidden folder that the victim is unaware of.
A common theme in the CEO/CFO scheme is that criminals wait until the CEO/CFO is on official travel before sending wire transfer instructions, making it more likely that the individual would use email for official business and therefore harder to verify the transaction as fraudulent.
These requests will sometimes state that the wire transfer is related to urgent or confidential matters and must not be discussed with any other company personnel.
How to protect yourself and your bank
There are various methods to reduce the risk of falling victim to this scam and subsequently executing a fraudulent wire transfer. Methods include:
• Verifying a change in payment instructions to a vendor or supplier by calling to verbally confirm the request. The phone number should not come from the electronic communication, but should instead be taken from a known contact list for that vendor.
• Maintain a file of vendor contact information for those who are authorized to approve changes in payment instructions. Preferably this will not be kept in electronic form.
• Limit the number of employees within a business who have the authority to approve and/or conduct wire transfers.
• Use out-of-band authentication to verify wire transfer requests that are seemingly coming from executives. This may include calling the executive to obtain verbal verification; establishing a phone personal identification number to verify the executive’s identity; or sending the executive via text message a one-time code and a phone number to call in order to confirm the wire transfer request.
• When the staff at a victim business is contacted by the bank to verify the wire transfer, the staff should delay the transaction until additional verifications can be performed.
• Require dual-approval for any wire transfer request meeting certain criteria. This would include any or all of the following: a dollar amount over a specific threshold; trading partners who have not been previously added to a “white list” of approved trading partners to receive wire payments; any new trading partners; new bank and/or account numbers for current trading partners; wire transfers to countries outside of the normal trading patterns.
If you get hit by BEC…
• Timing is critical. If notified immediately, financial institutions and law enforcement can work to increase the chance of recovering the stolen funds.
• When reporting, be prepared to provide a general description of this crime, how it occurred, losses experienced, and wiring/ACH instructions.
• The FS-ISAC encourages member institutions to report any observed fraudulent activity through the FS-ISAC submission process on the FS-ISAC portal or by contacting the FS-ISAC SOC. Submission through the portal can be anonymous.
• Financial institutions’ compliance or anti-money laundering team(s) should submit a Suspicious Activity Report using the “BEC” term to make it easier for law enforcement to track.