In March, we reported on the Business E-mail Compromise (BEC) scam where criminals target employees responsible for wiring company money, and trick them into wiring money under false pretenses to fraudulent accounts controlled by the criminals. In recent months, the FBI has identified a new trend in the BEC scam, and a similar emerging scheme that primarily targets employees from spoofed email accounts (E-Mail Account Compromise or EAC). The FBI estimates that these scams have claimed over 8,000 victims and resulted in losses totaling nearly $800 million since October 2013. This reflects a 4x increase from our initial report in March, when the figures attributable to this scam stood at roughly 2,000 victims and $215 million in losses.
The alarming growth rate and success of this fraud requires that all companies and organizations — regardless of their business or size — take notice of these accelerating trends and implement appropriate counter-measures to avoid falling victim. Previously, there were three fact patterns of common BEC fraud:
- A business with a long standing relationship with a vendor, receives a spoofed or fraudulent e-mail designed to appear very similar to the vendor’s legitimate e-mail, and is asked to fraudulently wire funds for invoice payment to an alternate, fraudulent account.
- A high-level business executive’s (CFO, CTO, etc.) e-mail account is compromised, and used to request a second employee to transfer money by wire under false pretenses to a bank account under the criminal’s control.
- An employee of a business has his/her personal e-mail hacked, and used by the criminal to request vendors make invoice payments to bank accounts under the criminal’s control.
As is typical, the criminals have evolved and adjusted their BEC strategy and are now posing as a company lawyer or advisor handling a highly time-sensitive and confidential matter. The fraudster pressures the employee to transfer funds secretly and quickly, usually near the end of the business day or work week (timed to coincide with the closing of international financial institutions). In the closely related, EAC fraud scheme, criminal actors create a spoofed e-mail account that contains slightly modified characters but very closely resembles a legitimate email address (and domain) known to the employees. The criminal actor then uses the spoofed e-mail account to initiate a request for an unauthorized wire transfer.
As criminals adapt and develop more sophisticated schemes, companies and organizations should likewise adjust their counter-measures (we previously reported on basic considerations here):
- Review your intrusion detection system (IDS) rules to flag e-mails with extensions that are similar to your company’s e-mail. For example, if the legitimate e-mail is abc_company.com, flag all e-mails from abc-company.com.
- Review your portfolio of domain registrations, and consider whether to register additional domains that are similar to your actual domain.
- Implement two-factor authentication on access to e-mail accounts for key personnel, and verify all changes to vendor payment accounts, such as requiring secondary sign-off by company personnel, or confirmation via an alternate and previously validated communication channel from the vendor (e.g., do not confirm by using the telephone number provided in the e-mail request).
- Document, in writing, the approved payment routines and accounts for all key vendors, and increase employee awareness on the proper vendor payment protocols (including for changed payment destinations).
- Carefully review all e-mail requests (including sender addresses) for fund transfers where requests are unexpected or requested to be kept “secret”.
- When in doubt, ask.
More information about the fraud is available from the Internet Crime Complaint Center (IC3), a partnership of the FBI and the National White Collar Crime Center.