Business Email Compromise Scam: Stories From Victimized Businesses
We have found that an effective way for making fraud attacks and schemes real and believable is to tell specific stories about real attacks, real losses.
Nearly every financial institution we talk to has a story about a business client that has been victimized by the Business Email Compromise (BEC) scam. Here are six to highlight the variations and similarities across the attacks, and the effort criminals will put into these attacks to make sure that the fraudulent requests look legitimate, which is what makes this scheme so hard to detect.
While not all attacks share all of these, some of the more common characteristics of this scam captured in these stories are:
- Compromised or spoofed email address
- Credible story, consistent with company plans
- Request for urgency and secrecy
- Request to only use phone number and email address in the initial email
- Timed for when the requester (CEO or CFO) is traveling
- New payment instructions from a vendor
Behavioral analytics would have detected every one of these attacks because in every case there is something inconsistent with prior behavior. Often it’s well hidden or disguised, but it’s always there.
Story 1: Auditor Asks for Payment for Acquired Business
The corporate controller received emails that appeared to be from the company’s outside auditing firm with requests to transfer millions of dollars to a Chinese bank. Three wire transfers were requested and sent for a total of $17.2 million.
The initial emails included language focusing on secrecy, urgency and sensitivity, including: “I need you to take care of this. For the last months we have been working, in coordination and under the supervision of the SEC, on acquiring a Chinese company. … This is very sensitive, so please only communicate with me through this email, in order for us not to infringe SEC regulations.”
The Controller called the auditor to confirm, using the phone number provided in the email. The criminal was ready with a person in place posing as an employee of the auditing firm to confirm the requests. There also was an element of consistency between the wire requests and the company’s business plans as the company had been discussing the expansion into China and they were in the middle of an audit.
Story 2: Wire Transfer with Immediate Money Mule Action
The Controller received email that appeared to be from CEO requesting a wire transaction to an individual in Pennsylvania. The $38,000 wire was processed on a Friday morning to bank A. Shortly after, the beneficiary went into bank A to request a wire transfer to bank B for $31,400, a second wire for $6,000 through Western Union, and then withdrew $600 in cash.
On Tuesday morning, the Controller received and submitted a second wire request from the CEO, this time for $78,000 payable to a business in Kansas. The bank flagged the request only because of an invalid routing number. The bank contacted the requestor who, only when they went to look up the correct routing number realized that the request was fraudulent. If not for a typo on the part of the criminal, the business surely would have been victimized for an additional $78,000 instead of only being scammed for $38,000.
Story 3: Fraudsters Mined Email for How to Submit Wire Request
This attack started with the criminal compromising the business’ email system to look for details of how to submit a legitimate-looking wire request. They also learned that the bookkeeper had just received approval via email from CEO to submit and approve wires.
The next day the bookkeeper received a request from the CEO to submit a wire transfer request, which was consistent with how previous wire requests had been submitted. After receiving the transfer order, the bank called the company because the wire request seemed out of character, but the bookkeeper was insistent that it was a legitimate request and that it came from the CEO. The bank processed the payment before the business realized that it was a fraudulent request.
Story 4: Fraudster Poses as Vendor and Gets Paid Twice
This attack started when the business received an email from a vendor explaining that they have changed payment instructions. New payments were to be sent to an account in China. The financial institution thought it looked suspicious and called to confirm, but the business insisted it was OK.
When the wire request came back “unable to apply” the business checked the wire instructions and submitted the wire request again, and this time the receiving bank did not reject it. Then the fraudster, posing as the vendor, called to say that they had not received payment yet, and the businesses submitted the wire request a third time, resulting in total payments exceeding $200,000.
Story 5: “Attorney” Calls with Wire Instructions
The finance department received an email from their CEO regarding a company acquisition that was top secret. The email explained that an attorney working on the acquisition would send payment instructions. They subsequently did receive an email (from the fraudster), and it was from a compromised email address at a real law firm, adding legitimacy to the request. The “attorney” then called to provide wire instructions over the phone. The loss was averted only when the FI called the CEO to confirm.
Story 6: Request Timed with CEO Travel
A company’s accountant received an email from the CEO instructing him to send out wire transfers totaling over $100,000. The accountant tried to confirm by phone but was unable to reach the CEO who was traveling overseas. When the accountant responded to the email instructions with a follow-up question, he received an abrupt reply reprimanding him to get it done. Although there were internal checks in place and a controller raised questions, the air of business urgency won out and the wires were ultimately sent out.
The wire transfers were directed at legitimate businesses in a different state. These businesses promptly received calls from the fraudsters claiming to be from the Minnesota company, indicating that they had accidentally sent the funds and instructing that the funds be “returned” this time being directed to a third account controlled by the thieves. (Thanks to http://www.fredlaw.com/updates__events/legal_blogs for this one.)
Financial institutions are invited to download our Best Practices for Detecting Bank Fraud whitepaper that includes resources and best practices for you and your business customers.