Busineses are now being targeted in a sophisticated email scam designed to persuade business employees responsible for executing financial transactions to wire funds to overseas accounts controlled by fraudsters.The current estimate is $215 million in losses.
The FBI’s Internet Crime Complaint Center (ICCC) reported that, from Oct. 1, 2013 to Dec. 1, 2014, Business E-mail Compromise (BEC) scams claimed over 2,000 individual victims and generated losses of nearly $215 million, $179.7 million of which was fleeced from nearly 1,200 victims using the BEC tactic in just three months from Oct. to Dec. 2014.
In addition to victims in the U.S., the FBI has documented nearly 1,000 non-U.S. victims in 45 countries associated with wire transfer fraud scams, with wire funds reportedly being sent primarily to Asian banks located in China and Hong Kong.
Owners and employees of businesses that work with foreign suppliers need to be vigilant for email scams that attempt to trick businesses into making fraudulent wire transfers. Employees should be instructed that phishers not only play on the similarity of but also prey on the eagerness of most employees to please. BEC scams are crafted to be sophisticated.
Fraudsters secure an internet domain name that is visually very similar to the domain name of the target company or of the target’s actual supplier.
The Fraudsterswill research publicly available information about the target company looking for the names of senior financial officers and employees, especially chief financial officers and comptrollers
Scammers will use social engineering to secure the name and legitimate email address of a target company employee who is responsible for making large wire transfers.
The employees are lured into believing they were acting on the wishes of executives who had communicated through e-mail (or a fake vendor by email) to transfer funds. Once a business owner or other employee is tricked into making a wire transfer to a foreign bank, the criminals transfer the funds into a global money-laundering network.
Victim organizations vary in size from small family-run businesses with a few employees all the way up to large enterprises, and those that fall for such scams often lack strong internal controls. Banks and enforcement agencies continue to attempt to recover funds where cases involve legitimate employee names with fake email aliases.
While anti-spam and anti-phishing technology does spot attacks, criminals have improved at spoofing email messages, with the targeted nature of the request typically getting the bogus messages past spam filters.
Organizations need to ensure employees are aware that fraudulent email requests for a wire transfer are well-worded, well-planned and believable; are based on detailed information specific to the business being victimized; and do not raise suspicions to the legitimacy of the request. Criminals research and monitor their selected victims prior to sending out a phishing email and identify and target employees that have the access necessary to perform wire transfers within the business.
Legal obligations or protections you may have related to this situation, such as potential insurance coverage for any loss
Change your controls to minimize the risk of something similar occurring again:
IT controls that keep the scammer out of the system
Purchasing controls that validate changes in vendor payment information or the setup of new vendors
Treasury controls that require multiple approvals of wire transfers
Educate employees about the scam so they can remain vigilant; tell them how it was perpetrated and that they can be a gateway for the scammer