FBI Warns of Dramatic Increase in Business E-Mail Compromise Scams
The FBI Boston Division is warning of a dramatic rise in business e-mail compromise scams or BECs, which target businesses of all sizes and types and have resulted in massive financial losses in Boston and other cities. Globally, since October 2013, more than $3.1 billion in actual and attempted losses have been reported.
Here in the Boston Division, approximately 370 victims from Massachusetts, Maine, New Hampshire and Rhode Island have reported losses totaling approximately $33 million. Those losses range from $500 to $5.9 million, with the average loss per scam being $90,000. The dDivision has successfully facilitated the return of approximately $13 million, with millions more frozen and in the process of being returned.
“The BEC scam is one of the fastest growing schemes we’ve seen over the past few years. The perpetrators leave a long wake of financial and emotional damage, stealing money from small businesses—leaving them unable to pay bills; and from families in the process of buying a home, all but erasing their dreams of home ownership,” said Harold H. Shaw, special agent in charge of the FBI Boston Division.
The scammers go to great lengths to spoof a company e-mail or use social engineering to assume the identity of the CEO, a trusted vendor, or a person in a position of authority within the company. They research employees who manage money and use language specific to the company they are targeting and then they request a wire transfer to an account controlled by them. Common recipients of these e-mails are real estate agents, title companies, and attorneys in the midst of real estate transactions; bookkeepers; accountants; controllers; and chief financial officers.
The perpetrators of this fraud, believed to be members of international organized crime groups, primarily target businesses that work with foreign suppliers or regularly perform wire transfers, and they use domestic bank accounts to funnel money off shore. According to the Internet Crime Complaint Center (IC3), since the beginning of 2015, there has been a 1,300 percent increase in identified exposed losses. The scam has been reported by victims in all 50 states and in 100 countries.
The scammers' methods have become increasingly more sophisticated. They'll spoof accounts with slight variations in domains (firstname.lastname@example.org vs. email@example.com); mske them look similar to authentic accounts (firstname.lastname@example.org vs. email@example.com ); mimic the real account using a spoofing tool that directs responses to a different e-mail account (the reply to e-mail account can be seen in the extended header or by hovering a curser over the shown e-mail address); and hack accounts. Criminals also use malware to infiltrate company networks, gaining access to legitimate e-mail threads about billing and invoices. They then use that information to make sure the suspicions of an accountant or financial officer aren’t raised when a fraudulent wire transfer is requested.
Some individuals have reported being a victim of various cyber intrusions immediately preceding a BEC incident. These intrusions can be facilitated through a phishing scam in which a victim receives an e-mail from a seemingly legitimate source that contains a malicious link. The victim clicks on the link, and it downloads malware, allowing them unfettered access to the victim’s data, including passwords or financial account information.
The BEC scam is linked to other forms of fraud, including but not limited to romance, lottery, employment, and rental scams. The victims of these scams are usually based in the United States and may be recruited, unknowingly, to transfer money illegally on behalf of others.
If you or your company have been victimized by a BEC scam, it’s important to act quickly. Contact your financial institution immediately and request that they issue a “SWIFT recall.” For domestic transfers, ask your financial institution to send a “hold harmless” letter to the beneficiary bank.
Next, file a complaint regardless of whether there is a dollar loss with IC3. Experience has shown that funds only remain in the initial beneficiary account for a few days before they are withdrawn or transferred to another account. This is not always the case and the FBI may be able to pursue a criminal prosecution.
Filing a complaint with IC3:
IP address and e-mail address of fraudulent e-mail
- Summary of the incident (including date/time)
- Victim name
- Victim location (city, state)
- Victim bank name
- Victim account number
- Beneficiary name
- Beneficiary account number
- Beneficiary bank location
- Beneficiary bank name
- SWIFT/IBAN number
- Date of transaction
- Amount of transaction
Detailed descriptions of BEC incidents should also include the date and time of incidents; copies of the incorrectly formatted invoices; full e-mail headers; requests for secrecy or immediate action; phone numbers of the fraudulent phone calls; and reports of any previous e-mail phishing activity.
“As devastating as this crime is, it’s equally easy to thwart. We must all develop the habit of verifying the authenticity of e-mailed requests to send money. The best way to do this is through in-person conversations or using a known telephone number,” said Shaw.
So what else can you do to prevent yourself from becoming a victim? Businesses have reported using the following measures for added protection:
- Create intrusion detection system rules that flag e-mails with extensions that are similar to company e-mail. For example, legitimate e-mail of abc_company.com would flag fraudulent e-mail of abc-company.com
- Create an e-mail rule to flag e-mail communications where the reply to e-mail is different from the “from” e-mail address shown.
- Color code e-mails so e-mails from employee/internal accounts are one color and e-mails from non-employee/external accounts are another.
- Verify changes in vendor payment location by adding additional two-factor authentication such as having secondary sign-off by company personnel.
- Confirm requests for transfers of funds, adding new vendors and changing vendor payment information by using phone verification as part of the two-factor authentication, use previously known numbers, not the numbers provided in the e-mail request.
- Consider forwarding e-mails using existing contacts in your address book rather than replying to e-mails.
- Carefully scrutinize all e-mail requests for transfer of funds to determine if the requests are out of the ordinary.