This article co-authored with guest blogger David Wang, a R+C summer associate and student at Boston College Law School
Wire fraud crime has long been a problem for financial institutions and banks. However, wire fraud through email is a completely different beast. Originally characterized by law enforcement as an extension of traditional wire fraud, wire fraud by email has become so pervasive that it now warrants its own internet crime designation: business email compromise (BEC). Under the FBI’s definition, BEC scams target businesses that have international business relationships and regularly send wire transfer payments. In other words, a BEC scam is a type of wire fraud conducted through phishing or spear-phishing emails that are compromised because the sender’s identity or email has been hacked or spoofed and/or because the recipient at the business is tricked into believing the email is legitimate. Our privacy tip #18 offers tips to avoiding being a phishing or spear-phishing target.
A recent push by global law enforcement agencies to correctly identify BEC scams, as well as concerns about increased activity, has led to a disturbing statistic: since January 2015, a 1300% increase in exposed losses worldwide due to BEC. This startling increase includes reports made to the FBI’s Internet Crime Complaint Center (IC3) and other international law enforcement agencies. The losses come from 22,143 total reported cases from U.S. and foreign victims during the period October 2013 to May 2016. While the IC3 tracks other internet crimes that use email, such as ransomware, extortion and emails targeting individuals, losses from BEC, as well as the dramatic increase in victims, clearly have the FBI’s attention.
BEC hackers and scammers involved are sophisticated—they monitor and study their victims for extended periods. They first identify the individuals at a business in finance, accounting or treasury functions who may send wire transfers. Then, they study the habits of these businesses and the individuals on LinkedIn, Facebook and other social media and wait for the right moment. Familiar BEC scams include emails from (i) a foreign supplier of a business with “new” wire transfer instructions for the next invoice payment, (ii) a travelling executive to a finance employee of the business to request an “urgent” and/or “confidential” wire transfer, (iii) the fraudster using a spoofed email to pose as a legitimate employee, customer or supplier of the business, or (iv) the fraudster posing as the attorney for the business requesting wire transfers relating to transactions or deals that are soon closing.
How do you protect your business from a BEC scam? Here are some suggestions.
- Training and awareness within the business about BEC scams
- Don’t open spam, or attachments from spam, or click on links from unknown sources.
- Avoid using free web-based email accounts for the business, as it is easier to spoof emails.
- Check the sender’s email by hovering over it to confirm it is not spoofed.
- Don’t reuse the same or old passwords across social media and other platforms.
- Don’t use one’s business email address to sign up for social media platforms and don’t use the same password as ones’ work email. For example, if you signed up for Linkedin using your corporate email in 2012, your user and password is probably readily available on sites such as leakedsource.com that specialize in cataloging data breaches.
- Tighten wire transfer procedures, restrict the number of individuals involved in sending wire transfers, and verify changes with the supplier or sender of the email. Don’t use the phone number in the requesting email – it may be fraudulent as well.
- Implement two factor authorization for corporate email accounts.
- Create intrusion detection system rules that flag emails with extensions that are similar to company email. For example, legitimate email of abc_company.com would flag fraudulent email of abc-company.com.
- Be familiar with your supplier and customer’s habits, such as the details of, reasons behind, and amount of payments.
- Review email requests for transfers of funds to determine if the requests are out of the ordinary.
If you do fall victim to a BEC scam, it is important to act quickly. Contact your financial institution immediately and ask they contact the financial institution where the wire was sent. Contact your local FBI office and legal counsel. File a complaint, regardless of dollar loss, at www.IC3.gov.