Business email compromise: The odds of being a victim are increasing

As is often the case, guidances or advisories issued by regulators in the financial services industry are frequently highly useful for all forms of businesses, whether financial services or otherwise.

The most recent such advisory is from FinCEN, the Financial Crimes Enforcement Network, which is part of the US Department of the Treasury. That guidance calls out the growing threat of business email compromise (BEC), which targets a financial institution’s commercial customers, and email account compromise (EAC), which targets the victim’s personal accounts.

Again, it bears emphasizing that while directed to financial institutions, the recommendations in the advisor are directly applicable to a broad range of businesses.

Some perspective will highlight the threat posed by BEC and EAC. Since 2013, there have been 22,000 reported cases of BEC and EAC fraud involving $3.1 billion. Today, it is estimated more than $300 million in this type of theft occurs every month. Bear in mind these statistics are of “reported” cases. Based on our experience, many more go unreported because they are not discovered or because the victim did not want to admit it was compromised.

These email compromise schemes involve impersonating victims to submit apparently legitimate transactions to financial institutions for processing. One of the most common examples of this activity is the impersonation of a business issuing a transaction to pay one of its vendors or suppliers.

As noted in the Advisory from FinCEN, this type of fraud generally has three stages:

1. Compromising victim information of email accounts

As a first stage, criminals will unlawfully gain access to a victim’s email account through some form of social engineering (most commonly, phishing) or by compromising the victim’s servers. Criminals then review the victim’s email account to gain information about their financial institutions, accounts, contacts, suppliers, vendors, etc.

2. Transmitting fraudulent transaction instructions

Leveraging the information obtained in Stage 1, impersonating the victim, criminals then initiate transactions with the victim’s financial institutions. These transactions can be made from two sources:  either the victim’s compromised email account or a fake email account made to resemble the victim’s account (see the example below).

3. Executing unauthorized transactions

Again, leveraging the information obtained in Stage 1, criminals induce the victim’s employees or financial institution to initiate wire transfers or other payments that appear legitimate, but are fraudulent. In many instances, payments pass through multiple accounts, including those offshore, to make them difficult, if not impossible, to trace.

The FinCen Advisory offers a number of red flags to help identify potential instances of BEC and EAC. While written for financial institutions, every business will find them useful in protecting their own email accounts from this type of fraud:

• A customer’s seemingly legitimate emailed transaction instructions contain different language, timing, and amounts than previously verified and authentic transaction instructions.
• Transaction instructions originate from an email account closely resembling a known customer’s email account; however, the email address has been slightly altered by adding, changing, or deleting one or more characters. For example:

Legitimate email address:  john-doe@abc.com

Fraudulent email addresses:  john_doe@abc.com or john-doe@bcd.com

• Emailed transaction instructions direct payment to a known beneficiary; however, the beneficiary’s account information is different from what was previously used.
• Emailed transaction instructions direct wire transfers to a foreign bank account that has been documented in customer complaints as the destination of fraudulent transactions.
• Emailed transaction instructions direct payment to a beneficiary with which the customer has no payment history or documented business relationship, and the payment is in an amount similar to or in excess of payments sent to beneficiaries whom the customer has historically paid.
• Emailed transaction instructions include markings, assertions, or language designating the transaction request as “Urgent,” “Secret” or “Confidential.”
• Emailed transaction instructions are delivered in a way that would give the financial institution limited time or opportunity to confirm the authenticity of the requested transaction.
• Emailed transaction instructions originate from a customer’s employee who is a newly authorized person on the account or is an authorized person who has not previously sent wire transfer instructions.
• A customer’s employee or representative emails a financial institution transaction instructions on behalf of the customer that are based exclusively on email communications originating from executives, attorneys, or their designees. However, the customer’s employee or representative indicates he/she has been unable to verify the transactions with such executives, attorneys, or designees.
• A customer emails transaction requests for additional payments immediately following a successful payment to an account not previously used by the customer to pay its suppliers/vendors. Such behavior may be consistent with a criminal attempting to issue additional unauthorized payments upon learning that a fraudulent payment was successful.
• A wire transfer is received for credit into an account, however, the wire transfer names a beneficiary that is not the account holder of record. This may reflect instances where a victim unwittingly sends wire transfers to a new account number, provided by a criminal impersonating a known supplier/vendor, while thinking the new account belongs to the known supplier/vendor. This red flag may be seen by financial institutions receiving wire transfers sent by another financial institution as the result of email-compromise fraud.

Given the growth over the last few years in BEC and EAC fraud, businesses should educate employees about the risks involved and red flags of this activity. In particular, every employee in a business’ accounts payable department should be keenly aware of the social networking and other techniques used by criminals to gain access to their accounts or to induce them to directly make fraudulent payments.