Business E-mail Compromise

Watch For Scams is dedicated to helping you avoid becoming a victim of fraud.

If you like this ezine, do a friend a big favor and forward this to them. If a friend forwarded this to you, and if you like what you read, please subscribe by visiting the link below: Subscribe Here

Business E-mail Compromise

The scam is carried out when a subject compromises legitimate business e-mail accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds.

There are five main scenarios by which this scam is carried out.

Scenario 1: Business Working with a Foreign Supplier

A business that typically has a longstanding relationship with a supplier is requested to wire funds for an invoice payment to an alternate, fraudulent account. The request may be made via telephone, facsimile, or e-mail. If an e-mail is received, the subject will spoof the e-mail request so it appears similar to a legitimate request. Likewise, requests made via facsimile or telephone call will closely mimic a legitimate request. This particular scenario has also been referred to as the “Bogus Invoice Scheme,” “Supplier Swindle,” and “Invoice Modification Scheme.”

Scenario 2: Business Executive Receiving or Initiating a Request for a Wire Transfer

The e-mail accounts of high-level business executives (Chief Financial Officer, Chief Technology Officer, etc.) are compromised. The account may be spoofed or hacked. A request for a wire transfer from the compromised account is made to a second employee within the company who is typically responsible for processing these requests. In some instances, a request for a wire transfer from the compromised account is sent directly to the financial institution with instructions to urgently send funds to bank “X” for reason “Y.” This particular scenario has been referred to as “CEO Fraud,” “Business Executive Scam,” “Masquerading,” and “Financial Industry Wire Frauds.”

Scenario 3: Business Contacts Receiving Fraudulent Correspondence through Compromised E-mail

An employee of a business has his or her personal e-mail hacked. This personal e-mail may be used for both personal and business communications. Requests for invoice payments to fraudster-controlled bank accounts are sent from this employee’s personal e-mail to multiple vendors identified from this employee’s contact list. The business may not become aware of the fraudulent requests until that business is contacted by a vendor to follow up on the status of an invoice payment.

Scenario 4: Business Executive and Attorney Impersonation

Victims report being contacted by fraudsters who typically identify themselves as lawyers or representatives of law firms and claim to be handling confidential or time-sensitive matters. This contact may be made via either phone or e-mail. Victims may be pressured by the fraudster to act quickly or secretly in handling the transfer of funds. This type of scam may occur at the end of the business day or work week and be timed to coincide with the close of business of international financial institutions.

Scenario 5: Data Theft

Fraudulent requests are sent utilizing a business executive’s compromised e-mail. The entities in the business organization responsible for maintaining personal information such as the human resources department, bookkeeping, or auditing section, have frequently been identified as the targeted recipients of the fraudulent request. Some of these incidents are isolated and some occur prior to a fraudulent wire transfer request. Victims report they have fallen for this new scenario even if they were able to successfully identify and avoid the traditional scam. This data theft scenario of the scam first appeared just prior to the 2016 tax season.

SUGGESTIONS FOR PROTECTION

Businesses that deploy robust internal prevention techniques at all levels (especially for front line employees who may be the recipients of initial phishing attempts) have proven highly successful in recognizing and deflecting these attempts.

Some financial institutions reported holding their customer requests for international wire transfers for an additional period of time to verify the legitimacy of the request.

The following list includes self-protection strategies:

• Avoid free web-based e-mail accounts: Establish a company domain name and use it to establish company e-mail accounts in lieu of free, web-based accounts

• Be careful what you post to social media and company websites, especially job duties and descriptions, hierarchal information, and out-of-office details

• Be suspicious of requests for secrecy or pressure to take action quickly

• Consider additional IT and financial security procedures, including the implementation of a two-step verification process. For example: ◦Out-of-Band Communication: Establish other communication channels, such as telephone calls, to verify significant transactions. Arrange this two- factor authentication early in the relationship and outside the e-mail environment to avoid interception by a hacker. ◦Digital Signatures: Both entities on each side of a transaction should utilize digital signatures. This will not work with web-based e-mail accounts. Additionally, some countries ban or limit the use of encryption.

• Immediately report and delete unsolicited e-mail (spam) from unknown parties. DO NOT open spam e-mail, click on links in the e-mail, or open attachments. These often contain malware that will give subjects access to your computer system

• Do not use the “Reply” option to respond to any business e-mails. Instead, use the “Forward” option and either type in the correct e-mail address or select it from the e-mail address book to ensure the intended recipient’s correct e-mail address is used

• Consider implementing two-factor authentication for corporate e-mail accounts. Two-factor authentication mitigates the threat of a subject gaining access to an employee’s e-mail account through a compromised password by requiring two pieces of information to log in: (1) something you know (a password) and (2) something you have (such as a dynamic PIN or code)

• Beware of sudden changes in business practices. For example, if a current business contact suddenly asks to be contacted via their personal e-mail address when all previous official correspondence has been through company e-mail, the request could be fraudulent. Always verify via other channels that you are still communicating with your legitimate business partner

• Create intrusion detection system rules that flag e-mails with extensions that are similar to company e-mail. For example, a detection system for legitimate e-mail of abc_company.com would flag fraudulent e-mail from abc-company.com

• Register all company domains that are slightly different than the actual company domain

• Verify changes in vendor payment location by adding additional two-factor authentication such as having a secondary sign-off by company personnel

• Confirm requests for transfers of funds. When using phone verification as part of two-factor authentication, use previously known numbers, not the numbers provided in the e-mail request

• Know the habits of your customers, including the details of, reasons behind, and amount of payments

• Carefully scrutinize all e-mail requests for transfers of funds to determine if the requests are out of the ordinary.

If you believe you have been a victim of this type of scam you should promptly report it to the IC3's website at www.IC3.gov. The IC3's complaint database links complaints together to refer them to the appropriate law enforcement agency for case consideration.

Remember - always watch for scams!