Business Email Compromise
FBI Issues Warning For "Business E-mail Compromise"
The CFO of a U.S. company received an e-mail from her CEO while the CEO was on vacation out of the country. The CEO requested a transfer of funds for a time-sensitive payment that required discretion. The CFO followed the instructions and wired $250,000 to a bank in Hong Kong. The next day, the CEO called about another matter. The CFO mentioned she had completed the wire the day before, but the CEO said he never sent the e-mail and knew nothing about the transaction. The company was the victim of a Business E-mail Compromise, or BEC.
BEC is a type of sophisticated financial fraud targeting businesses of all types and sizes. BECs are carried out by compromising legitimate business e-mail accounts through social engineering or computer intrusions to conduct unauthorized transfers of funds. The Internet Crime Complaint Center (IC3) has seen a 270% increase in identified victims and exposed loss since January 2015. The scam was reported in all 50 states and in 79 countries. Fraudulent transfers were sent to 72 countries; however, the majority went to banks in China and Hong Kong. Over 8,000 victim complaints totaling almost $800 million were reported to the IC3 from October 2013 to August 2015.
- Hacked accounts via spear phishing
- Spoofed accounts made to look similar to authentic accounts (firstname.lastname@example.org vs email@example.com)
- Spoofed accounts with slight variations in domains (firstname.lastname@example.org vs email@example.com)
- Spoofed accounts mimicking the real account until one reviews the extended header or hovers a curser over the e-mail address
- Free web based e-mail users
- Title companies and attorneys in the midst of a real estate transaction
- Bookkeepers, accountants, controllers
Suggestions for Protection
- Employee awareness/education on how to identify the scam before sending payments to the fraudsters.
- Verify wire transfer requests and changes to vendor bank accounts with two-factor authentication such as a secondary sign-off and/or using voice verification over known phone numbers.
- Create intrusion detection system rules that flag e-mails with extensions similar to company e-mail or differentiate between internal and external e-mails.
- Be wary of free, web-based e-mail accounts, which are more susceptible to being hacked.
- Be careful when posting financial and personnel information to social media and company websites.
- Regarding wire transfer payments, be suspicious of requests for secrecy or pressure to take action quickly.
- Register domains that are slightly different than your actual domain.
- Know the habits of your customers, including the details of, reasons behind, and typical payment amounts.
- Scrutinize all e-mail requests for transfers of funds.
Source: Federal Bureau of Investigation, Boston Field Office; "Business E-mail Compromise," Nov. 2015
For additional information about Business E-mail Compromise scheme, including what to do if you suspect that your company is a victim, use this link to review the latest FBI Public Service Announcement.