Connect ► twitter| youtube|  Log In ► Members Only  |  Corporate One Safekeeping  |  Search

BEC scams target business members and credit unions: What to know now

By: Jennifer Morrison, VP, Senior Risk Manager


Train and remain BSA/OFAC compliant

Corporate One is pleased to release the on-demand version of our BSA/AML and OFAC comprehensive member training event from August 2015. Please visit our online registration page for information. The webinar is excellent for frontline and company-wide training. This training will be available until 12/31/15.

November 24, 2015 -- In late August 2015, the Federal Bureau of Investigation (FBI) reported that more than 7,000 U.S. companies were defrauded out of almost $750 million between October 2013 and August 2015 through an increasingly prevalent and sophisticated scam known as business email compromise or BEC. In addition, there has been a frightening 270% increase in identified victims and exposed loss just since January 2015, according to the FBI alert. The scam has been reported in all 50 states and in 70 countries with transfers reported as going to 72 different countries.

What is BEC?

BEC is a scam that typically consists of criminals impersonating high-ranking executives or vendors, tricking companies into sending large wire transfers. This highly sophisticated form of social engineering has become the top threat for finance professionals, as well as a threat to financial institutions providing wire transfer services, such as Corporate One FCU and our members. BEC scams are major threats to your business members, too.

BEC, formerly known as the “Man-in-the-E-mail” scam, typically involves foreign payments; however, the payments may be sent through a number of financial institutions, so they may not immediately appear as international wire requests. The FBI reports that most wire transfers end up in Asian banks with banks located in China and Hong Kong among the most common final destinations.

The FBI reports that the BEC scam is linked to other forms of fraud, including but not limited to romance, lottery, employment, and home/vacation rental scams. The victims of these related scams are usually U.S. based and may be recruited as unwitting “money mules.”1 The mules receive fraudulent funds in their personal accounts and then are directed by the subject to quickly transfer the funds, using wire transfer services or another bank account, usually outside the U.S. Upon direction, mules may sometimes open business accounts for fake corporations, both of which may be incorporated in the true name of the mule.

Examples of BEC

Based on the complaints filed with the FBI, there are three main versions of the BEC scam:

Version 1: A business, which often has a long-standing relationship with a supplier, is asked to wire funds for invoice payment to an alternate, fraudulent account. The request may be made via telephone, facsimile, or email. If an email is received, the subject will spoof the email request so that it looks very similar to a legitimate account. It will take very close scrutiny to determine that it is fraudulent. Likewise, if a facsimile or telephone call is received, it will closely mimic a legitimate request. This particular version is often referred to as “The Bogus Invoice Scheme,” “The Supplier Swindle,” and “Invoice Modification Scheme.”

Version 2: The email accounts of high-level executives (CEO, CFO, COO, etc.) are compromised. The account may be spoofed or hacked. A request for a wire transfer from the compromised account is made to a second employee within the company typically responsible for processing these requests. In some instances, a request for a wire transfer from the compromised account is sent directly to the financial institution with instructions to urgently send funds to bank “X” for some reason “Y.” This particular version has been referred to as “CEO Fraud,” “Business Executive Scam,” “Masquerading,” and “Financial Industry Wire Frauds.”

Version 3: An employee of a business has his/her personal email hacked. Requests for invoice payments to fraudster-controlled bank accounts are sent from this employee’s personal email to multiple vendors identified from this employee’s contact list. The business may not become aware of the fraudulent requests until contacted by their vendors to follow up on the status of their invoice payments.

In addition to the three main versions, a fourth version, known as the “Attorney Check Scam” is related.

In the related “Attorney Check Scam” fraud, attorneys are targeted to represent supposed litigants in a payment dispute. The supposed litigants are directed to send retainer payments in the form of checks to the attorney. The scam is revealed when the checks are found to be fraudulent or the litigants are contacted. While the payment disputes may be real, the litigants in this scam neither contacted nor retained the attorney for legal assistance.

While these scams are the most common versions, it is important to note that these perpetrators are highly skilled social engineers. Once a “template” proves successful, it will be replicated and deployed across all industries, in both public and private sectors, ultimately targeting individuals and even households. Each successful template will not exhaust itself until the risk/reward equation is fully diluted, at which point the next successful template is deployed. Because this scam is so specialized, it is difficult to prevent in a “one size fits all” policy, and it often exploits the “best” in our nature—the desire to help others.

Who is vulnerable?

It is still largely unknown how victims are selected, according to the FBI. What is clear is that victims are monitored and studied prior to the launch of the scam. The subjects are able to accurately identify the individuals and protocol necessary to perform wire transfers within the targeted business environment. Increasingly, victims first receive “phishing” emails requesting additional details of the business or individual to be targeted, such as name, travel dates, etc. Some victims reported being a victim of various Scareware or Ransomware cyber intrusions immediately preceding the BEC scam request.

The BEC scam victims range from small to large businesses, including financial institutions like Corporate One and your credit union! Victimized businesses may purchase or supply a variety of goods, such as textiles, food, furniture, and pharmaceuticals. The common denominator is that the victim engages in wire transfer payments.

Characteristics and protection

The FBI, through its collection of characteristics of reported BEC cases, makes some recommendations as protection against such scams. Use newsletters and websites to share the following education with your business members and credit union staff:

  • Businesses and personnel using open-source email are the most targeted. Avoid the use of web-based email. Establish a company website domain, and use it to establish company email accounts. Businesses should also register company domains similar to their own.
  • Be cognizant of information posted on company websites and to social media, especially job duties/descriptions, hierarchical information, and out-of-office details. Staff responsible for handling wire transfers within a specific business are often the most targeted. It does not take a genius to figure out that a CFO and titles like “Accounting Manager,” “Funds Manager,” “Wire Manager,” and “Controller” might be involved in a chain of payment origination and approval.
  • Spoofed emails very closely mimic a legitimate email request, and hacked emails often occur with a personal email account. Fraudulent email requests for a wire transfer are well-worded, specific to the business being victimized.
    • Typically, the wording of the email does not raise suspicion; however, “code to admin expenses” or “urgent wire transfer” are common phrases found in the fraudulent requests per the FBI.
    • Maintain established payables and funds transfer controls: If emails cannot originate a payment request, including emails sourced from personal accounts according to procedures, make no exceptions, regardless of the apparent urgency of the request or the apparent identity of the executive-level requestor.
  • The requested dollar amount of the wires are specific to the business, therefore, the dollar amounts do not raise suspicion.
  • The requests often coincide with business travel dates for executives whose emails were spoofed. This emphasizes that the targeted business was surveilled in some manner prior to launching the BEC scam.
  • The IP addresses used by the scammers frequently trace back to free domain registrars.

In addition, your business members and credit union management should practice the following:

  • Consider payment-processing controls that ensure email, facsimile, and telephone requests cannot be used to initiate wire transfers without the use of a secondary communication channel to verify the request—a telephone call, for example—to a previously known number. Arrange this second-factor authentication with vendors early in the relationship and outside of email to avoid interception by a hacker. Never contact vendors using information provided in the suspicious email or communication.
  • Use digital signatures. This will not work with web-based email accounts. Some countries do ban or limit the use of encryption.
  • Immediately delete unsolicited email (spam) from unknown parties. Do NOT open spam email or click on links in the email, and never open attachments. These often contain malware that will give criminals access to your computer system, allowing them to monitor activity, steal passwords, and learn payment processes and account numbers. Criminals will also monitor email, searching for words like “invoice,” “deposit,” and “president” to learn whether the company routinely sends wire transfers.
  • Do not use “reply” when responding to business emails, which will just return your response to the criminal subject. Instead, use “forward” and either re-type the party’s email from your contacts list, or select it from the email address book to ensure that the intended party’s correct email address is used.
  • Implement email detection that flags messages with extensions similar to the company email. For example, if the legitimate extension is @company.com, the detection system would flag @c0mpany.com.
  • Do not rely on spam filters to catch these emails. These are targeted emails and not mass messages. BEC scams are not going to set off spam traps. Criminals executing a BEC scam have researched the target company’s relationships, activities, interests, travel, and purchasing plans sufficiently to spoof normal email communication.
  • Know your members: Review your business members and their payment methods, and target members who routinely use wire transfers for extra education and monitoring. Advise your business members (and your management and staff) to know your vendors and know your customers: Beware any sudden change in business practices. If a current business suddenly asks to be contacted via a personal email address when all previous official correspondence has been conducted via company email, the request could be fraudulent. Always verify requests via other channels to ensure that you are still communicating with your legitimate business member or vendor. Make a telephone call to the business; often the business is unaware they have been victimized until a curious party contacts them.

To help protect our members from such scams and other fraudulent activity, Corporate One holds all international wire transfers through its vendor for a period of time for additional third-party scrutiny. This provides additional time for you and your member to further scrutinize the wire request, albeit limited time. While our vendor does not know your member, there is scrutiny provided based on their experience with their other business partners.

It is critically important to report BEC fraud (and attempts) to Corporate One  as part of your wire recall attempt so that when we execute the recall, we can also communicate the request is due BEC. This helps our vendor interdict other attempts against our members and our vendor’s other clients.

  • The FBI is also asking if a wire has been sent recently due to a BEC scam that the business contact their local FBI office. The FBI is working with FinCEN and might be able to help return or freeze the funds.

An important additional note: Most BEC scams fall outside cyber insurance coverage. The business sent the money and, therefore, the loss belongs to the business. Courts involved in wire transfer fraud cases have shown some mixed results in terms of liability, sometimes placing liability on the originator and sometimes on the financial institution. But failure to follow your own well-designed funds transfer controls and to advise your business member of the need for the controls is typically where the liability has been shifted to the financial institution.

Filing an IC3 Complaint and Suspicious Activity Reports with FinCEN

The FBI requests businesses that believe they are the recipient of a compromised email and victims of BEC to file a report with IC3 at www.IC3.gov regardless of the dollar amount. They are asking for as much description as possible. Identify the complaint as “Business Email Compromise” or “BEC,” and try to include the following information:

  • Header information from email messages
  • Identifiers for the perpetrators, such as names, email addresses, websites, bank account information (where payments are requested to be sent), and beneficiary names
  • Details on how, why, and when the fraud attempts occurred
  • Actual and attempted amounts of loss
  • Other relevant information you believe will support the complaint (IP addresses, for example)

Complainants are also encouraged to keep original documentation, emails, faxes, and logs of all telecommunications. You cannot upload or add documents to the IC3 complaint; however, you may be contacted later by law enforcement to provide the relevant documents.

Suspicious Activity Reports (SARs) are generally not filed for attempted electronic intrusion, such as attempted penetration of systems and distributed denial of service (DDoS) attacks. However, if in the course of monitoring your business member’s activity you notice unusual clusters of activity, such as large atypical wire transfers and/or changes in the form of member contact, which suggest suspected account takeover, consider filing a SAR2.

A SAR should be filed, checking Box 35-A, “account takeover,” and the reference to “account takeover” should appear in the SAR narrative along with a detailed description of activity. Additional boxes in Blocks 39 and 40 of the SAR form should also be checked to enhance the usefulness of the SAR filing. If a member reports that a wire transfer was in fact fraudulent and caused by a BEC scam, “BEC scam” is relevant information to be included in the SAR narrative along with checking Box 31-J for “wire fraud”.

Training

The pervasive nature of this growing scam is a perfect opportunity to engage with your business members. Consider adding the information to your training library, engaging staff in the ongoing training necessary to keep up with the scammers and fraudsters.

1 “Money mules” are defined as persons who transfer money illegally on behalf of others.
2 Filing the SAR is also appropriate to dollar thresholds and the identification of a possible suspect (the criminal, not the victim).