Business email compromise fraud

According to an International Business Times report posted by A. J. Dellinger on June 13, Southern Oregon University lost $1.9 million in a business email compromise scheme. (See Fraudulent Email: Business Email Compromise Attack Costs Southern Oregon University $2M.) The money was intended to pay a contractor for his work on the university’s McNeal Pavilion and Student Recreation Center. Fraudsters posing as the contractor used a fraudulent email account to trick an employee into wiring the funds to their account.

It’s big and expanding rapidly

This case is an example of the business email compromise (BEC) scam that has ravaged businesses throughout the world for the past few years and caused financial losses in the billions of dollars. Organized crime groups are mainly responsible, but anybody can commit the fraud. According to a Feb. 17 alert from the FBI, here are two of the online tools they use to target their victims:

• “Spoofing email accounts and websites: Slight variations on legitimate addresses (john.kelly@abccompany.com vs. john.kelley@abccompany.com) fool victims into thinking fake accounts are authentic. The criminals then use a spoofing tool to direct email responses to a different account that they control. The victim thinks he is corresponding with his CEO, but that is not the case.
• “Spear-phishing: Bogus emails believed to be from a trusted sender prompt victims to reveal confidential information to the BEC perpetrators.”

This sophisticated scam targets businesses that typically pay bills via wire payments. Included in the BEC scam is the email account compromise (EAC) component that targets individuals who are responsible for wire transfer payments for a business.

I reported on the BEC scam in past issues of Fraud Magazine (see Business email scam rampant, January/February 2016; Tech support and BEC scams explode, September/October 2016), but I believe an update of this prolific scam is justified because of its horrendous spread to many more countries, escalating dollar losses and expansion to new industries.

The number of countries hit with this scam has grown from 100 in 2015 to 131 at the end of 2016, according to a May 4 alert by the FBI’s Internet Crime Complaint Center (IC3), “Between January 2015 and December 2016 there was a 2,370 percent increase in identified exposed losses.” All 50 U.S. states continue to be hit hard.

The IC3’s PSA reported these BEC/EAC statistics: Between October 2013 and December 2016, there were 40,203 domestic and international incidents for a loss of $5,302,890,448. From October 2013 to December 2016, there were 22,292 U.S. victims for a loss of $1,594,503,669 and 2,053 victims outside of the U.S. for a total loss of $626,915,475.

Once fraudsters have identified the individual who has the authority to perform wire transfers, fraudsters search social media websites and phishing emails to learn more about this person before they precede with the BEC scam. They can gain an accurate understanding of the roles that individuals perform in a business and the messaging procedures for wire transfers. Fraudsters send scareware or ransomware via email while posing as a legitimate source. Once the target clinks the link, fraudsters gain access to passwords and financial information.

Scenarios

According to an April 14, 2016, Rpost blog by James Hsu, BEC fraudsters tend to target specific industries. In all the examples, after the victim replies to a fraudster’s phishing email to wire him funds, the fraudster siphons off the email and routes it to himself. Then the fraudster replies to the victim with more details and wiring instructions along with a sense of urgency to complete the transaction.

Law firms and their clients. Fraudsters, pretending to be a law partner, send an email to a law firm’s client — using information commonly found in litigation filings — that contains a request for more money and wiring instructions. The client forwards the email to their accounting department. (Sometimes the criminal targets the accounting staff directly.) By the time the client notices the discrepancy, it’s normally too late.

Insurance agents, brokers and their clients. Fraudsters who are impersonating an insurance agent or broker staff send an email to the agent/broker’s client (or client’s accounting department) using information about common insurance policies — such as officers’ liability insurance — that they claim must be renewed immediately.

Fraudsters sometimes add details that they can find from public litigation court filings to make the email appear even more legitimate. As in the previous example, the client forwards the email containing the wire instructions to his accounting department, which then routes funds to the imposter bank account.

Home buyers, Realtors, escrow agents and title insurance companies. Crooks send a fake email — claiming to be the seller’s Realtor — to the buyer’s agent, stating that if the transaction doesn’t close now, the homebuyer might lose the deal. Sometimes the fraudsters insert details of the actual transaction, which they can find in public filings and online listing services. The buyer’s agent forwards the email containing the wire instructions to the buyer with a note to quickly fund the down payment. Sometimes the criminal targets the escrow agent, title insurance company or buyer directly. Once the victims discover the crime — as soon as three or four days later, after the real agent asks the homebuyer to send funds for a legitimate closing — it’s too late.

Business finance and human resources staff. Fraudsters impersonate a member of senior management and send an email to someone in the finance department, claiming an invoice needs to be urgently paid to avoid being cut off by a supplier. Sometimes the criminals insert details of the actual transaction using generic identifiers such as “technology expense” or “due diligence expense.” The crime is often not detected until months later during an audit or reconciliation, if ever.

Registered Investment Advisors. An investment advisor opens a “client” email that requests the advisor to liquefy some assets. If that advisor or a staff member wires the funds, they’ll be diverted to a foreign bank account and lost forever.

Protect yourself

The IC3 offers the following suggestions to help businesses protect themselves from the BEC scam:

• Instead of using free web-based email accounts, buy a company domain name and use it to establish company email accounts.
• Don’t overreveal in social media and company websites, especially job duties, hierarchal information and out-of-office details.
• Be suspicious of requests for secrecy or pressure to act quickly.
• Consider extra security procedures, including a two-step verification process, such as a phone call as well as email or digital signatures.
• Immediately report and delete an email from someone you don’t know. Don’t open any email or attachments from these unknown parties, or you could unleash malware.
• Instead of using “Reply,” forward the email and manually type in the correct email address or select it from your address book.
• Use a two-factor authentication for corporate email accounts, which requires two pieces of information to log in: (1) something you know (a password) and (2) something you have (such as a dynamic PIN or code).
• Beware of sudden changes in business practices, i.e., a client suddenly wanting you to use their personal email when they’ve always used their company email.
• Create intrusion detection system rules that flag emails with extensions that are similar to company email, such as abc_company.com flagging fraudulent email from abc-company.com.
• Register all company domains that resemble your own.
• Use two-factor authentication to verify changes in vendor payment.
• Confirm requests for transfers of funds and flag any unusual requests.
• Know the habits of your customers, especially anything related to their payments.

More help for the community

I hope you’ll share this information with your business associates, family, friends and clients and include it in your outreach programs. An important takeaway from this column is that, to prevent scams like this and others, organizations must set up an ongoing fraud awareness for all their employees that educates them about emerging cyber schemes.

Please contact me if you have any identity theft issues you’d like me to research and possibly include in future columns or if you have any questions related to this column or any other cyber security/identity theft issue. I don’t have all the answers, but I’ll do my best to help. Stay tuned!

Robert E. Holtfreter, Ph.D., CFE, CICA, CBA, is distinguished professor of accounting and research at Central Washington University in Ellensburg, Wash. He’s also on the ACFE’s Advisory Council and the Editorial Advisory Committee. His email address is: doctorh007@gmail.com.