Business email scam rampant

Small-business owner Suzie Franklin commonly uses a wire system to transfer money from her bank account to overseas vendors. She recently received an email from one of her vendors that instructed her to click on a link to initiate a wire transferring of her bank account funds to the vendor's account for payment. She later discovered a $9,000 transfer out of her account and immediately notified her bank. A bank officer told her that she was a victim of the business email compromise scam (BEC).

Compromising situations

This case is fictional but illustrates a prevalent, sophisticated and expensive scam. (BEC was once called the "man-in-the-middle scam.") I first mentioned the BEC scam in the November/December 2015 column, in which I described the email account compromise scam.

Fraudsters target businesses working with foreign suppliers and/or businesses that regularly perform wire-transfer payments. The crooks use social engineering or computer intrusion techniques to compromise real business email accounts and create unauthorized transfers of funds out of business bank accounts. (Sometimes the fraudsters trick victims into paying them through business checks if that's the victims' preferred method of payment.)

Emerging technique

The FBI — via the Internet Crime Complaint Center (IC3) — reports an increase in computer intrusions and four versions of the scam: three in a January 22 announcement and one more in an August 27 announcement.

In the typical version, the fraudster emails a phishing document to an intended victim via the address of a legitimate supplier and asks him to change the wire transfer payments of paying invoices. This request tricks the victim into clicking on a malicious link that downloads malware on his computer and allows the fraudster to gain unrestricted access to personally identifiable information (PII), including financial account data and passwords. The fraudster now has all the information he needs to wire money out of the victim's bank account. Game over! When the real supplier delivers the goods and asks for payment, the victim knows he's been scammed.

Another version of the scam targets upper-level executives in an organization who receive email requests for wire transfers to bank accounts. According to the IC3, "the e-mails are spoofed by adding, removing, or subtly changing characters in the e-mail address that make it difficult to identify the perpetrator's e-mail address from the legitimate address." The IC3 reported in 2014 that the losses from these scams averaged about $55,000 with some more than $800,000.

In a third version, fraudsters send spoofed emails to suppliers — supposedly from their customer companies — asking for quotes or orders for merchandise. Many suppliers receive the emails at the same time, which alert them to possible suspicious behavior. Some companies followed up and easily linked the IP addresses to previous email scams based in Nigeria.

In the fourth version, a fraudster — who typically takes on the identity of a lawyer or a representative of a law firm — contacts a victim via email or phone at the end of the business day or work week claiming "to be handling confidential or time-sensitive matters." Of course, the fraudster creates a sense of panic to pressure the victim to expedite a funds transfer.

Losses are phenomenal

The FBI reports that the scam is intensifying with a "270 percent increase in identified victims and exposed loss since January 2015." Victims have been reported in every state in the U.S. and in 79 countries; the fraudulent wire transfers have been traced traveling to 72 countries, with most of them to Asian banks situated in China and Hong Kong.

The FBI's Internet Crime Complaint Center reported the scam's staggering statistics from October 2013 to August 2015. (See the FBI's BEC scam statistics below — October 2013 to August 2015.)

When the statistics identified by international law enforcement agencies are included in the data, according to the FBI, the exposed losses for the scam increase to more than $1.2 billion. No small change!

Protection from the scam

The FBI reports that many businesses have protected themselves from this scam by detecting it before they transfer funds to fraudsters and becoming victims. They do this by "holding their customer requests for international wire transfers for an additional period of time, to verify the legitimacy of the request."

Businesses also have reported these protective measures:

• "Create intrusion detection system rules that flag e-mails with extensions that are similar to company e-mail. For example, legitimate e-mail of abc_company.com would flag fraudulent e-mail of abc-company.com."
• "Register all company domains that are slightly different than the actual company domain."
• "Verify changes in vendor payment location by adding additional two-factor authentication such as having a secondary sign-off by company personnel."
• "Confirm requests for transfers of funds. When using phone verification as part of the two-factor authentication, use previously known numbers, not the numbers provided in the e-mail request."
• "Know the habits of your customers, including the details of, reasons behind, and amount of payments."
• "Carefully scrutinize all e-mail requests for transfer of funds to determine if the requests are out of the ordinary."

The FBI also advises businesses to read the U.S. Department of Justice publication, Best Practices for Victim Response and Reporting of Cyber Incidents.

FBI's advice for victims

If funds are transferred to a fraudulent account, you must act quickly:

• "Contact your financial institution immediately."
• "Request that your financial institution contact the corresponding financial institution where the fraudulent transfer was sent."
• "Contact your local … FBI office if the wire is recent. The FBI, working with the United States Department of Treasury Financial Crimes Enforcement Network, might be able to help return or freeze the funds."
• " File a complaint, regardless of dollar loss."

When you contact law enforcement or file a complaint with IC3, identify your incident as "BEC" and consider providing:

• Originating business name.
• Originating financial institution name and address.
• Originating account number.
• Beneficiary name.
• Beneficiary financial institution name and address.
• Beneficiary account number.
• Correspondent bank if known or applicable.
• Dates and amounts transferred.
• IP and/or email address of fraudulent email.

Provide this information at a minimum to law enforcement:

• Date and time of incidents.
• Incorrectly formatted invoices or letterheads.
• Requests for secrecy or immediate action.
• Unusual timing, requests or wording of the fraudulent phone calls or emails.
• Phone numbers of the fraudulent phone calls.
• Description of any phone contact, including frequency and timing of calls.
• Foreign accents of the callers.
• Poorly worded or grammatically incorrect emails.
• Reports of any previous email phishing activity.

Report the crime to local and state law enforcement agencies, the media and the Federal Trade Commission.

More help for the community

I hope you'll share this information with your family, friends and clients and include it in your outreach programs. We must step up our efforts to educate the public on how to safeguard their computers from hackers to avoid having sensitive information stolen, which will help to reduce identity theft.

Cybercriminals take advantage of any opportunity to develop schemes to rob consumers of their resources. Even though the hackers have the upper hand, an educated community will help curb the damage.

Please contact me if you have any identity theft issues you'd like me to research and possibly include in future columns or if you have any questions related to this column or any other cybersecurity and identity theft questions. I don't have all the answers, but I'll do my best. Stay tuned! 

Note: I would like to acknowledge Central Washington University's Faculty Research Program in their support of this work.

Robert E. Holtfreter, Ph.D., CFE, CICA, CBA, is distinguished professor of accounting and research at Central Washington University in Ellensburg, Washington. He's also on the ACFE Advisory Council and the ACFE Editorial Advisory Committee. His email address is: doctorh007@gmail.com.