Busineses are now being targeted in a sophisticated email scam designed to persuade
business employees responsible for executing financial transactions to wire
funds to overseas accounts controlled by fraudsters.The current estimate is
$215 million in losses.
The FBI’s Internet Crime Complaint Center (ICCC)
reported that, from Oct. 1, 2013 to Dec. 1, 2014, Business E-mail Compromise
(BEC) scams claimed over 2,000 individual victims and generated losses of
nearly $215 million, $179.7 million of which was fleeced from nearly 1,200
victims using the BEC tactic in just three months from Oct. to Dec. 2014.
In addition to victims in the U.S., the FBI has
documented nearly 1,000 non-U.S. victims in 45 countries associated with wire
transfer fraud scams, with wire funds reportedly being sent primarily to Asian
banks located in China and Hong Kong.
Owners and employees of businesses that work with
foreign suppliers need to be vigilant for email scams that attempt to trick
businesses into making fraudulent wire transfers. Employees should be instructed
that phishers not only play on the
similarity of but also prey on the eagerness of most employees to please. BEC
scams are crafted to be sophisticated.
Fraudsters secure an internet domain name that is
visually very similar to the domain name of the target company or of the
target’s actual supplier.
The Fraudsterswill research publicly available
information about the target company looking for the names of senior financial
officers and employees, especially chief financial officers and comptrollers
Scammers will use social engineering to secure the
name and legitimate email address of a target company employee who is
responsible for making large wire transfers.
The employees
are lured into believing they were
acting on the wishes of executives who had communicated through e-mail (or a
fake vendor by email) to transfer funds. Once a business owner or other
employee is tricked into making a wire transfer to a foreign bank, the
criminals transfer the funds into a global money-laundering network.
Victim organizations vary in size from small
family-run businesses with a few employees all the way up to large enterprises,
and those that fall for such scams often lack strong internal controls. Banks
and enforcement agencies continue to attempt to recover funds where cases
involve legitimate employee names with fake email aliases.
While anti-spam and anti-phishing technology does spot
attacks, criminals have improved at spoofing email messages, with the targeted
nature of the request typically getting the bogus messages past spam filters.
Organizations need to ensure employees are aware that
fraudulent email requests for a wire transfer are well-worded, well-planned and
believable; are based on detailed information specific to the business being
victimized; and do not raise suspicions to the legitimacy of the request.
Criminals research and monitor their selected victims prior to sending out a
phishing email and identify and target employees that have the access necessary
to perform wire transfers within the business.
Legal obligations or protections you may have related
to this situation, such as potential insurance coverage for any loss
Change your controls to minimize the risk of something
similar occurring again:
IT controls that keep the scammer out of the system
Purchasing controls that validate changes in vendor
payment information or the setup of new vendors
Treasury controls that require multiple approvals of
wire transfers
Educate employees about the scam so they can remain
vigilant; tell them how it was perpetrated and that they can be a gateway for
the scammer