FBI Cincinnati
Public Affairs Specialist Todd Lindgren
(513) 979-8347
December 15, 2016

Business E-Mail Compromise Scheme Fraud Alert

CINCINNATI—The Cincinnati Division of the Federal Bureau of Investigation (FBI) is warning Ohio businesses about a sophisticated scam that can result in sizeable losses for companies. Complaints about the business e-mail compromise scheme (BEC) are increasingly being reported to the FBI and the Internet Crime Complaint Center (IC3). The scam is carried out when perpetrators compromise legitimate business e-mail accounts, through social engineering or through computer intrusion techniques, to fraudulently direct electronic fund transfers.

According to IC3, “the BEC scam continues to grow, evolve, and target businesses of all sizes. Since January 2015, there has been a 1,300% increase in identified exposed losses, now totaling over $3 billion. The scam has been reported by victims in all 50 states and in 100 countries.”

Prior to initiating any wire transfer, the BEC scammers closely study their selected victims using social engineering techniques. The scammers work to identify the individuals and procedures necessary to perform wire transfers within a specific business environment. They also carefully review the legitimate e-mail communication and travel schedules of employees within the targeted business.

At a key time, frequently when an executive like the CEO or CFO of the target business is traveling, the scammers will use a legitimate or spoofed e-mail account of the executive to request a wire transfer. The transfers are often for tens of thousands of dollars or more.

The scam has impacted a wide range of small to large businesses, as well as non-profit organizations.

Victim companies are urged to report the compromise to their financial institution, law enforcement, and the Internet Crime Complaint Center (www.ic3.gov) as soon as possible. Delays in reporting the scheme make it difficult to stop wire transfers and recover any lost assets.

Tips for Businesses:

  • Be cautious about sudden changes in business practices, including requests for urgency and mimicked e-mail addresses
  • Practice multi-step verification for financial transactions
  • Carefully scrutinize and verify all wire transfer requests
  • If defrauded, act quickly, contact your bank, and report to IC3.gov and law enforcement