FBI Fraud Alert – Business E-mail Compromise Compromise Defrauds U.S. Businesses
In an effort to keep your business more secure, NSG has partnered with the FBI to identify newly developing technology threats. FS-ISAC members and federal law enforcement agencies continue to report an increase in wire transfer fraud against U.S. businesses through a scam referred to as “Business E-mail Compromise” (BEC). BEC is a type of payment fraud that involves the compromise of legitimate business e-mail accounts for the purpose of conducting and unauthorized wire transfer. Once a business e-mail account is compromised, actors use the compromised account or spoofed account to send wire transfer instructions. The funds are sent to countries all over the world, but primarily Asia.
The majority of BEC incidents involve the compromise of a business’ CEO or CFO, as they typically have the authority and ability to conduct a wire transfer. Additionally, other incidents involve the compromise of a vendor/supplier’s e-mail account with the intention of modifying the bank account associated with that vendor/supplier. This scheme may also be labeled as vendor fraud and involves a last minute change of the bank and account number for future payments.
In most circumstances, the actors use social engineering or malware to compromise the legitimate business e-mail accounts. Then, they conduct reconnaissance to review the business’ legitimate e-mail communications and travel schedules.
In some cases, the actors auto-forward e-mails received by the victim to an e-mail account under their control. This operation lasts until the actor feels comfortable enough to send wire transfer instructions using either the victim’s e-mail or a spoofed e-mail account that in controlled by the perpetrator. The difference in the spoofed e-mail account is very subtle and can easily be mistaken for the legitimate business e-mail address.
The actors are sophisticated and use many methods to ensure their e-mail communications are successful. A recurring theme in the CEO or CFO scheme is to wait until the C-level manager is traveling for work or pleasure request a wire transfer, making it more likely that the individual would use e-mail for official business and therefore harder to verify the transaction is fraudulent. Many of these transfer requests will state that the wire transfer is related to confidential or urgent matters and must not be discussed with any other company personnel.
So how do you protect yourself against such scams? There are a number of ways:
• Verify a change in payment instructions to a vendor or supplier by calling to verbally confirm the requests
• Limit the number of employees within your business who have authority to approve and/or conduct wire transfers
• Maintain a file of vendor contact information for those who are authorized to approve changes in payment instructions
• If your staff is contacted by the bank to verify a wire transfer, delay the transaction until additional verifications can be performed
• Require dual-approval for any wire transfer request