Ride the Lightning

Yup, It’s a $5 Billion Dollar Scam: Business E-mail Compromise

May 9, 2017

On May 4^th, the FBI issued a Public Service Announcement addressing Business E-mail Compromise (BEC) which includes updated stats (through December 31, 2016) on this notorious scam.

Business E-mail Compromise is defined as a scam targeting businesses working with foreign suppliers and/or businesses that regularly perform wire transfer payments. The BEC targets individuals that perform wire transfer payments.

The scam is carried out when a subject compromises legitimate business e-mail accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds.

As the FBI says, most victims report using wire transfers as a common method of transferring funds for business purposes; however, some victims report using checks as a common method of payment. The criminals will use the method most commonly associated with their victim's normal business practices. The scam has evolved to include the compromising of legitimate business e-mail accounts and requesting Personally Identifiable Information (PII) or Wage and Tax Statement (W-2) forms for employees, and may not always be associated with a request for transfer of funds.

Victims are large and small business. No specific sector of business is targeted.

The criminals monitor and study their victims using social engineering techniques prior to initiating the BEC scam. They are able to accurately identify the individuals and protocols necessary to perform wire transfers within a specific business environment. Victims may also first receive "phishing" e-mails requesting additional details regarding the business or individual being targeted (name, travel dates, etc.).

Phishing e-mails often precede the attack. The victim clicks on a link in an e-mail or clicks on an attachment, and it downloads malware, allowing the intruders unfettered access to the victim's data, including passwords or financial account information.

Between January 2015 and December 2016, there was a 2,370% increase (WOW!) in identified exposed losses. The scam has been reported in all 50 states and in 131 countries. Victim complaints filed with the Internet Crime Complaint Center (IC3) and financial sources indicate fraudulent transfers have been sent to 103 countries.

Asian banks located in China and Hong Kong remain the primary destinations of fraudulent funds; however, financial institutions in the United Kingdom have also been identified as prominent destinations.

According to the announcement, these are the stats between October 2013 and December 2016:

Domestic and international incidents:    40,203

Domestic and international exposed dollar loss:    $5,302,890,448

Total U.S. victims:    22,292

Total U.S. exposed dollar loss:    $1,594,503,669

Based on IC3 complaints, there are five main scenarios by which this scam is perpetrated and yes, I'm going to list them all so that you can understand how they work.

Scenario 1: Business Working with a Foreign Supplier

A business that typically has a longstanding relationship with a supplier is requested to wire funds for an invoice payment to an alternate, fraudulent account. The request may be made via telephone, facsimile, or e-mail. If an e-mail is received, the subject will spoof the e-mail request so it appears similar to a legitimate request. Likewise, requests made via facsimile or telephone call will closely mimic a legitimate request. This particular scenario has also been referred to as the "Bogus Invoice Scheme," "Supplier Swindle," and "Invoice Modification Scheme."

Scenario 2: Business Executive Receiving or Initiating a Request for a Wire Transfer

The e-mail accounts of high-level business executives (Chief Financial Officer, Chief Technology Officer, etc.) are compromised. The account may be spoofed or hacked. A request for a wire transfer from the compromised account is made to a second employee within the company who is typically responsible for processing these requests. In some instances, a request for a wire transfer from the compromised account is sent directly to the financial institution with instructions to urgently send funds to bank "X" for reason "Y." This particular scenario has been referred to as "CEO Fraud," "Business Executive Scam," "Masquerading," and "Financial Industry Wire Frauds."

Scenario 3: Business Contacts Receiving Fraudulent Correspondence through Compromised E-mail

An employee of a business has his or her personal e-mail hacked. This personal e-mail may be used for both personal and business communications. Requests for invoice payments to fraudster-controlled bank accounts are sent from this employee's personal e-mail to multiple vendors identified from this employee's contact list. The business may not become aware of the fraudulent requests until that business is contacted by a vendor to follow up on the status of an invoice payment.

Scenario 4: Business Executive and Attorney Impersonation

Victims report being contacted by fraudsters who typically identify themselves as lawyers or representatives of law firms and claim to be handling confidential or time-sensitive matters. This contact may be made via either phone or e-mail. Victims may be pressured by the fraudster to act quickly or secretly in handling the transfer of funds. This type of BEC scam may occur at the end of the business day or work week and be timed to coincide with the close of business of international financial institutions.

Scenario 5: Data Theft

Fraudulent requests are sent utilizing a business executive's compromised e-mail. The entities in the business organization responsible for W-2s or maintaining PII, such as the human resources department, bookkeeping, or auditing section, have frequently been identified as the targeted recipients of the fraudulent request for W-2 and/or PII. Some of these incidents are isolated and some occur prior to a fraudulent wire transfer request. Victims report they have fallen for this new BEC scenario even if they were able to successfully identify and avoid the traditional BEC scam. This data theft scenario of the BEC scam first appeared just prior to the 2016 tax season.

The FBI preaches just what we preach: Train your employees in these scams. All the technology in the world may not be able to protect you if your employees make a mistake. Technology helps, but it is never a complete solution.

Change your business process so that the legitimacy of requests for wired funds and/or PII is verified every time.

Don't used web-based e-mail.

Be suspicious of any requirement to act quickly. The list of helpful hits goes on too long to print in full, but it is certainly worth reading!

If you are a victim, contact your bank immediately and request that it contact the financial institution where the fraudulent transfer was sent. Contact your regional FBI Office. The FBI, working with the United States Department of Treasury Financial Crimes Enforcement Network, might be able to help return or freeze the funds. It's worth a try.

File a complaint at https://bec.ic3.gov/.

Compliments to the FBI for a very useful public announcement. Good fodder for our cybersecurity presentations – appreciate the assist!

E-mail: Phone: 703-359-0700
Digital Forensics/Information Security/Information Technology
http://www.senseient.com
http://twitter.com/sharonnelsonesq
http://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson