FBI Portland
Portland Media Office
(503) 460-8060
November 14, 2017

FBI Tech Tuesday—Digital Defense Against Business E-mail Compromise

We've talked about this kind of scheme before. The traditional scam starts with Company A, Company B, and the fraudster who jumps in between the two. The scammer uses an e-mail address almost identical to the one used by a business executive at Company A as he communicates with a vendor or customer at Company B. The scammer is trying to convince that vendor at Company B to route a payment into the scammer’s personal bank account instead of the Company A account. Usually the businesses have a long-standing relationship, and a request to have a big dollar invoice paid by wire transfer doesn't raise any flags.

The newer version of the scam that we are talking about today goes one step further. The scammer isn't just pretending to be the CEO or CFO of Company A—he actually takes over that persona. He has hacked that executive’s e-mail account, and he can get in to read, receive, or send e-mails at will. As an added twist, he can set rules within the e-mail account to automatically forward to himself any e-mail that includes a particular keyword or is from a particular sender. The e-mails pass through the legitimate executive’s account in a virtual sense, but that executive may never even see them as they get deleted from his inbox immediately.

So what can businesses do? Here are a few options:

  • Avoid free web-based e-mail accounts. Establish a company domain name and use it to create formal e-mail addresses for your employees
  • Check the “rules” setting on your account periodically to ensure that no one has set up auto-forwarding for your e-mails.
  • Be careful what you post to social media and your company website, especially information about who has which specific job duties. Also be cautious about using out-of-office replies that give too much detail about when your executives are out of the mix.
  • Require two-factor verification for money transfers, particularly big ones. For example, you could require a telephone call to confirm significant wire transfers. Be sure to set up this protocol early in the business relationship and outside the e-mail environment. When the fraudster hacks your e-mail account, you don't want him to be able to see how to evade your security protocols.
  • When confirming requests, don't rely on phone numbers or e-mail addresses embedded in the request. Look up the number from an external source when calling.
  • Require your employees to use two-factor authentication to access corporate e-mail accounts. They would need two pieces of information to log-in... something they know (such as a password) and something they have (such as a dynamic PIN that changes constantly).
  • Train your employees to watch for suspicious requests, such as a change in a vendor’s payment location.
  • Train your employees to avoid clicking on links or attachments from unknown senders. Doing so could download malware onto your company’s computers, making you vulnerable to a hack.

If you have been victimized by this scam or any other online scam, contact the FBI. You can file an online report at the FBI’s Internet Crime Complaint Center at www.ic3.gov or call your FBI local office.