Business Email Compromise Continues to Swindle and Defraud U.S. Businesses

Business email accounts

FS-ISAC members and federal law enforcement agencies continue to report an increase in wire transfer fraud against U.S. businesses through a scam referred to as Business Email Compromise (BEC). BEC is a type of payment fraud that involves the compromise of legitimate business email accounts for the purpose of conducting an unauthorized wire transfer. After a business email account is compromised, actors use the compromised account or a spoofed account to send wire transfer instructions. The funds are primarily sent to Asia, but funds have also been sent to other countries all over the world.

Most BEC incidents involve the compromise of an email account belonging to a business’s CEO/CFO in order to send an email to an employee with the ability to conduct wire transfers. Other incidents involve the compromise of a vendor/supplier’s email account with the intent of modifying the bank account associated with that vendor/supplier.

In most cases, after the actors compromise the legitimate business email accounts through social engineering or malware, they conduct reconnaissance to review the business’s legitimate email communications and travel schedules. In some instances, actors have auto-forwarded emails received by the victim to an email account under their control. This reconnaissance stage lasts until the actor feels comfortable enough to send wire transfer instructions using either the victim’s email or a spoofed email account that is controlled by the actor. The difference in the spoofed email account is very subtle and can easily be mistaken for the legitimate business email address.

Successful BEC incidents result in monetary loss to victim businesses.

The key to reducing the risk of BEC is to understand the criminals’ techniques and deploy effective payment risk mitigation processes. There are various methods to reduce the risk of falling victim to this scam and subsequently executing a fraudulent wire transfer. Some of these methods include:

• Verifying a change in payment instructions to a vendor or supplier by calling to verbally confirm the request (the phone number should not come from the electronic communication, but should instead be taken from a known contact list for that vendor);
• Maintain a file, preferably in non-electronic form, of vendor contact information for those who are authorized to approve changes in payment instructions;
• Limit the number of employees within a business who have the authority to approve and/or conduct wire transfers;
• Use out-of-band authentication to verify wire transfer requests that seemingly come from executives. This may include calling the executive to obtain verbal verification, establishing a phone Personal Identification Number (PIN) to verify the executive’s identity, or sending the executive via text message a one-time code and a phone number to call to confirm the wire transfer request;
• When staff at a victim business is contacted by the bank to verify a wire transfer, the staff should delay the transaction until additional verifications can be performed; and
• Require dual-approval for any wire transfer request involving:
  • A dollar amount over a specific threshold; and/or
  • Trading partners who have not been previously added to a “white list” of approved trading partners to receive wire payments; and/or
  • Any new trading partners; and/or
  • New bank and/or account numbers for current trading partners; and/or
  • Wire transfers to countries outside of the normal trading patterns.

June 24, 2015: Initial Release