Business email compromise (BEC) scams are on the rise. In 2020, the FBI’s Internet Crime Complaint Center (IC3), received 19,369 BEC/Email Account Compromise (EAC) complaints with adjusted losses of over $1.8 billion.
This type of fraud poses substantial risk to all types of organizations. Small businesses, non-profit organizations, and multi-national large corporations have all reported being victimized. In almost every case, the perpetrator targeted an employee with the authority to pay vendors via a wire transfer, such as the bookkeeper, accountant, controller, or CFO. An apparently legitimate email request to make a wire transfer was sent to the individual, typically when the CEO was traveling. However, instead of showing banking details for the appropriate vendor, the transfer request shows bank details for an account controlled by the fraudster. Once the transfer is made, the funds are quickly laundered to make recovery difficult.
Techniques Used in BEC Scams
Perpetrators often used public information available on a company’s website and social media channels to make the initial contact. Some of the techniques used in the BEC scams are:
- Spear-phishing – Scammers send bogus e-mails targeted specifically to individuals authorized to initiate wire transfer payments.
- Social engineering – Perpetrators contact victims and trick the victims into providing them with confidential information or making a wire transfer.
- Spoofing e-mail accounts or websites – Criminals use a slight variation of legitimate email accounts or website addresses to convince victims to initiate fraudulent wire transfers.
- Malware – Hackers infiltrate networks and gain access to sensitive company data necessary to carry out the scheme. In BEC scams, legitimate e-mail threads were accessed regarding vendors, billing practices, invoices, and other sensitive information.
Basic Elements of BEC Scams
Although fraudsters use multiple approaches, typically BEC scams involve perpetrators:
- Targeting businesses with foreign suppliers and/or operations that frequently require wire transfer payments.
- Infiltrating the victim’s network through malware or social engineering.
- Monitoring the victim’s email server to identify individuals who typically request and authorize wire transfers, as well as learn the company’s wire transfer protocols.
- Waiting until the CEO is away and unavailable to review the wire transfer request.
- Sending a seemingly legitimate email request to an employee who authorized to initiate a wire transfer. The fraudulent request generally appears to be ordinary and from an appropriate party, such a trusted vendor, or even the company’s CEO.
- Requesting that funds be transferred to a foreign bank account or a shell account in the U.S. operated by unsuspecting accomplices. Scammers then quickly transfer the funds abroad and launder the money to make recovery difficult.
Common Characteristics of BEC Cases
The FBI identified common characteristics in the majority of BEC cases such as:
- Targets are typically businesses and employees who use open source or free personal e-mail accounts and individuals responsible for handling wire transfers.
- Spoofed e-mails closely mimic legitimate wire transfer requests.
- Fraudulent emails are well-worded, company specific, for a typical transaction amount, may contain phrases like “code to admin expenses” or “urgent wire transfer” and do not raise suspicions regarding the legitimacy of the request.
- Requests coincide with business travel dates for the CEO or other executives whose e-mails were spoofed.
- IP addresses frequently trace back to free domain registration sites.
Tips to Protect Your Company
The FBI recommends that companies and employees implement the following controls and procedures to protect against BEC scams:
- Verify changes in vendor payment locations and confirm requests for fund transfers on the phone or by using an email address you have on file. Never use phone numbers or email addresses provided in the request. Use the “Forward” option instead of “Reply” to respond. Either type in the correct e-mail address or select it from an e-mail address book.
- Know the habits of your customers, including the reason, transaction details, and amount of payments. Beware of any significant changes.
- Scrutinize all e-mail requests for fund transfers to determine if anything is out of the ordinary.
- Be suspicious of requests for secrecy or pressure to act quickly to initiate the wire transfer.
- Use the company’s domain name (website address) for employee e-mail accounts.
- Post limited financial and personnel information (job duties/descriptions, organizational charts, and out-of-office details) on company websites and social media channels.
- Consider financial security procedures that include a two-step authentication process for wire transfer payments and access to company email accounts.
- Create intrusion detection system rules that flag e-mails with extensions that are similar, but not exactly the same, as the company’s. For example, .co instead of .com.
- Register all available internet domains that are slightly different than the actual company domain.
- Never open spam or a suspicious e-mail, click on links in the e-mail, or open attachments. Delete these emails immediately.
If you suspect that your company may be a victim of a BEC scam, notify the FBI IC3.
Contact LaPorte to discuss your anti-fraud controls. Having effective controls in place may reduce the risk that you will become a victim of a BEC scam.