An increasing number of businesses continue to be targeted by very sophisticated email scams designed to convince company employees responsible for executing financial transactions to wire funds to overseas accounts controlled by perpetrators of the scam.
US$215 million in losses and counting
The FBI’s Internet Crime Complaint Center (IC3) reported that, from Oct. 1, 2013 to Dec. 1, 2014, Business E-mail Compromise (BEC) scams claimed over 2,000 individual victims and generated losses of nearly US$215 million in the United States. US$179.7 million of which was fleeced from nearly 1,200 victims using the BEC tactic in just three months from Oct. to Dec. 2014.
In addition to victims in the U.S., the FBI has documented nearly 1,000 non-U.S. victims in 45 countries associated with wire transfer fraud scams, with wire funds reportedly being sent primarily to Asian banks located in China and Hong Kong.
Understand email scams and educate key employees
Owners and employees of businesses that work with foreign suppliers need to be on the lookout for email scams that attempt to trick businesses into making fraudulent wire transfers. Employees need to be made aware that phishers not only play on the similarity of domains (read our previous QuickStudy on Wire Transfer Fraud), but also prey on the eagerness of most employees to please. BEC scams are crafted to be sophisticated.
The key element of this type of attack is – simply – “doing your job.” When the CEO or CFO tells you to do something, you do it, with employees believing they were acting on the wishes of executives who had communicated through e-mail (or phony vendor by emails) to transfer funds, not realizing they were making fraudulent wire transfers. Once a business owner or other employee is tricked into making a wire transfer to a foreign bank, the criminals transfer the funds into a global money-laundering network.
Victim organizations vary in size from small family-run businesses with a few employees all the way up to large enterprises, and those that fall for such scams often lack strong internal controls. Banks and enforcement agencies continue to attempt to recover funds where cases involve legitimate employee names with fake email aliases.
Protect against a wire transfer scam
While anti-spam and anti-phishing technology does spot attacks, criminals have improved at spoofing email messages, with the targeted nature of the request typically getting the bogus messages past spam filters.
Organizations need to ensure employees are aware that fraudulent email requests for a wire transfer are well-worded, well-planned and believable; are based on detailed information specific to the business being victimized; and do not raise suspicions to the legitimacy of the request. Criminals research and monitor their selected victims prior to sending out a phishing email and identify and target employees that have the access necessary to perform wire transfers within the business.
Train employees to recognize red flags, including requests that:If you suspect you have been scammed by BEC emails:
Sign up for our newsletter and get the latest to your inbox.