United States business e-mail accounts are under attack by sophisticated fraudsters.
The FBI, Financial Services Information Sharing and Analysis Center (FS-ISAC) and the United States Secret Service issued a financial services bulletin on June 19 warning against increasing wire transfer fraud against U.S. businesses referred to as “Business E-mail Compromise” (BEC) scams.
The bulletin warned that BEC is a type of payment fraud that involves the compromise of legitimate business e-mail accounts for the purpose of conducting unauthorized wire transfers. Many compromised accounts belong to business CEOs or CFOs. The funds are primarily sent to Asia, but funds involved in these schemes have been diverted to locations around the globe.
BEC fraud compromises e-mail accounts through phishing, social engineering or malware used to obtain the user’s password. Once an e-mail account is compromised, fraudsters begin accessing and reviewing e-mails, including meeting and calendar information, contacts lists, and information concerning business partners, vendors and customers.
This activity enables the fraudsters to interject themselves into normal business communications masquerading as the person whose account was compromised. This reconnaissance stage lasts until the actor feel comfortable enough to send wire transfer instructions using either the victim’s e-mail or a spoofed e-mail account. E-mails are typically sent to an employee with the ability to wire funds. A common tactic is to wait until the victim is away on legitimate business travel to send new wire instructions, making it more likely that individual would use e-mail to conduct business and making it more difficult to verify the transaction as fraudulent while the victim is in transit. The requests will sometimes state that the wire transfer is related to urgent or confidential business matters and must not be discussed with other company personnel.
Other incidents involve the compromise of a vendor or supplier’s e-mail account with the intention of modifying the bank account associated with that business. This scheme may also be labeled “vendor fraud” and often involves last minute changes of the bank and account number for future payments.
Other suggestions to guard against this fraud are:
- Limit the number of employees with authority to handle wire transfers.
- Have a second employee designated as an approver for any wire transfer requests.
- Be careful opening attachments and clicking on links even if the e-mail appears to be from a legitimate source if you believe wire instructions may be included in the communication.
- Look out for e-mails that contain significant changes in grammar, sentence structure and spelling compared to previous communications.
- Look out for suspicious communications particularly toward the end of the week or the end of a business day. The fraudsters will have more time to access and divert funds.
- Maintain a file, preferably in non-electronic form, of vendor contact information, including telephone numbers.
- Look out for “spoofed” e-mail addresses that are made to look like the real addresses. Fraudsters use tactics like character substitution, addition and omission to make e-mails addresses appear legitimate. Here are some examples using a Chicago Title address, email@example.com
- Be wary of wire transfers to countries outside of normal trading patterns.
Dirt lawyers, protect your businesses and your clients’ funds by following these critical guidelines!