Each day, the average office worker receives 121 emails, almost 50% of which is spam. Because of the sheer volume of emails employees need to sift through on any given day, it can be easy to fall victim to what is known as business email compromise (BEC) scams. In case you are not familiar with this type of scheme, a BEC scam involves a staff member being tricked into sending money to fraudsters as a result of receiving a legitimate-looking email request from someone they think is a company executive; but in actual fact, the email is originating from a criminal. This article is going to focus on BEC scams that specifically target credit unions to help your institution be better prepared in the event it is ever impacted.

Rising numbers of BEC scams

Because BEC scams have become such a huge problem across various industries, the Financial Crimes Enforcement Network (FinCEN) issued two advisories within recent years to assist financial institutions in better identifying and reporting instances of BEC fraud and associated money laundering activity. The initial advisory in September 2016 (FIN-2016-A003) was followed by an updated version in July 2019 (FIN-2019-A005). According to these advisories, BEC scams are on the rise. From the time the initial advisory went out in 2016 to the middle of 2019, FinCEN received over 32,000 suspicious activity reports (SARs) on BEC fraud schemes. The total dollar amount of attempted theft reported in the SARs was a staggering $9 billion. Given these sobering statistics, it is clear BEC scams can have a crippling effect on both U.S. financial institutions and their customers.

Targeting financial institutions

FinCEN’s 2019 advisory specifically identified financial institutions as one of the main sectors targeted by criminals who are carrying out BEC scams. Criminals will often spoof the financial institution’s domain and send what appear to be credible messages to imitate official communications between staff (i.e. sending emails that appear to be from the CEO). In fact, FinCEN analysis revealed that about half of all BEC scams targeting financial institutions were facilitated via emails impersonating the CEO or president. This tactic is effective because it often discourages employees who are receiving the fraudulent payment instructions from challenging or confirming the order.

While any employee can be the recipient of a BEC fraud email, criminals often send these emails to staff members they think have the capability to easily make payments and move money (e.g. controller, CFO, the wires department). For that reason, credit union employees need to be vigilant when reviewing email requests from management that may contain fraudulent payment instructions.

Knowing what to look for

Here are several red flags credit union staff should be on the lookout for to avoid being scammed by BEC emails (For the complete list, please refer to FinCEN’s 2016 advisory.):

  • An executive’s seemingly legitimate emailed transaction instructions contain different language, timing and amounts than previously verified as authentic transaction instructions.
  • Transaction instructions originate from an email account closely resembling an executive’s email account; however, the email address has been slightly altered by adding, changing, or deleting one or more characters. For instance:
    • Legitimate email address: john-doe@creditunion.com
    • Fraudulent email address: john_doe@creditunion.com
    • Fraudulent email address: john-doe@creditunions.com
  • Emailed transaction instructions include markings, assertions, or language designating the transaction request as “Urgent,” “Secret,” or “Confidential.”
  • Emailed transaction instructions are delivered in a way that would give the credit union limited time or opportunity to confirm the authenticity of the requested transaction.
  • Emailed transaction instructions direct payment to a known beneficiary, such as a vendor; however, the beneficiary’s account information is different from what was previously used.

Taking action if needed

In the unfortunate event that your credit union is targeted by BEC scammers, it is important to know what to do to handle the situation. Below are two recommended steps that your credit union should take:

Step 1: Work with law enforcement to try to recover the funds (ASAP!)

FinCEN has partnered with the FBI, U.S. Secret Service, Homeland Security, and other domestic and international investigative agencies to help recover funds as a result of BEC schemes through its Rapid Response Program. While the recovery of funds is not assured, FinCEN has had greater success in recovering funds when financial institutions report BEC-unauthorized and fraudulently induced wire transfers to law enforcement within 24 hours. To request immediate assistance in recovering BEC-stolen funds, your credit union should file a complaint with the FBI’s Internet Crime Complaint Center (IC3), contact your local FBI field office, or contact the nearest U.S. Secret Service field office.

Step 2: File a SAR with FinCEN

Your credit union has a SAR filing obligation to report BEC scams involving fraudulent payment instructions regardless of whether the scheme or involved transactions were successful, and regardless of whether your credit union incurred an actual loss. The completed SAR form and narrative should contain as much relevant information as possible, including any known cyber-related information.

Ultimately, it only takes a few keystrokes for an employee to unwittingly wire funds to a criminal-controlled account as a result of a BEC scam. Credit union staff must be cognizant of the fact that BEC scammers may be targeting their inboxes next.

Naomi Glass
BSA/AML Compliance Manager

Recent SAR Statistics on increasing BEC fraud

  • 2016: 6,000 BEC-related SARs with a monthly average of $110 million
  • 2017: More than 11,000 BEC-related SARs with a monthly average of $241 million
  • 2018: Nearly 14,000 BEC-related SARs with a monthly average of $301 million