The FBI’s Internet Crime Complaint Center has issued an updated public service announcement regarding the rising trend of e-mail payment scams in the United States and abroad.

According to the FBI, over 40,000 incidents occurred worldwide between October 2013 and December 2016, resulting in an exposed dollar loss of over US$5 billion.  The FBI notes that these threats are increasing, with losses from sophisticated payment scams growing 2,370% between 2015 and 2016.

While all businesses should be vigilant against cyber-attacks, entities that conduct business internationally or use vendors outside the U.S. are particularly at risk.

WHAT IS A BEC/EAC SCAM?

The FBI defines Business E-mail Compromise (BEC) is as a sophisticated scam targeting businesses working with foreign suppliers and/or businesses that regularly perform wire transfer payments.  E-mail Account Compromise (EAC) scams are a component of BEC, which targets individuals that perform wire transfer payments.  More recently, the scams have evolved to include targeting Personally Identifiable Information (“PII”) of customers and/or employees, as well as employee Wage and Tax Statements (W-2s).

The scam is typically committed by the perpetrator using a hacked or “spoofed” email address.  A spoofed email is one that is created by a hacker to mimic a legitimate customer, vendor, or employee.  For example, to mimic a legitimate email of “Legitimate-Vendor.com”, the perpetrator may create email addresses with the domains Legitimate_Vendor.com (substituting hyphen for underscore) or Legitmate-Vendor.com (missing the letter “i”).

The FBI reports five main scenarios by which the scam is perpetrated:

  • Business Working with a Foreign Supplier: A business with a longstanding relationship with a supplier is requested to wire funds for an invoice to an alternate, fraudulent account controlled by the perpetrator.  The request may be made via telephone, fax, or through a spoof email.  The request will often reference a legitimate invoice that the perpetrator has surreptitiously obtained.
  • Business Executive Receiving or Initiating a Request for a Wire Transfer: A wire request is made from the e-mail account of a high-level executive (either hacked or spoofed) to an employee with responsibility for processing these requests.  In some instances, the wire transfer request is sent directly to the financial institution with instructions to urgently send funds to bank “X” for reason “Y.”
  • Business Contacts Receiving Fraudulent Correspondence Through Compromised E-mail: An employee’s e-mail is hacked.  The perpetrator sends emails to customers/vendors requesting that future payments be sent to a perpetrator controlled bank account.
  • Business Executive and Attorney Impersonation: An employee is contacted by a perpetrator who identifies himself as a lawyer or executive handling confidential or time-sensitive matters.  The employee is pressured to act quickly and/or secretively to transfer funds.
  • Data Theft: Fraudulent requests are sent utilizing a business executive’s compromised e-mail.  The entities in the business organization responsible for maintaining personnel or other sensitive information, such as the human resources department, bookkeeping, or auditing departments, have been the targets of fraudulent request for W-2s and/or PII.

WHAT DO I DO TO AVOID FALLING VICTIM TO A BEC/EAC SCAM? 

The FBI explains that robust internal prevention techniques at all levels (especially for employees who may be the recipients of phishing attempts) have proven highly successful in recognizing and deflecting BEC/EAC attempts.  Some self-protection strategies include:

  1. Implement  and Maintain “Good Cyber Hygiene”: Following basic cybersecurity practices can go a long way to preventing a BEC/EAC scam.  Perpetrators are often targeting “low hanging fruit”: those businesses that have not taken steps to identify and repel the most common types of cyberattack that can lead to a BEC/EAC scam.  At a minimum, businesses should update software regularly to ensure software patches are installed, implement and enforce strong password policies, and require employees to attend training so that they can identify and immediately report suspicious email or activity.  If employed diligently, these three controls would have prevented the vast majority of publicly disclosed breaches.
  2. Watch for “Red Flags”: Be wary of any request for secrecy or pressure to take action quickly.  Sudden changes in business practices should also warrant additional scrutiny.  These include requests from business contacts to start using a personal or alternate email, or any request to change wiring or other payment instructions.
  3. Implement IT and Financial Security Procedures: Controls don’t have to be fancy to work: All businesses should implement multi-step verification for wire transfers or requests for confidential documents.  Picking up the phone to verify an email request is simple but effective.  Technology is also conspiring in your favor: two-factor authentication for highly sensitive systems is widely available and inexpensive and next generation and Artificial Intelligence-powered security systems can help recognize anomalies at a price point that scales to small and medium-sized businesses.
  4. Register Similar Domain Names: Consider registering domains that are slightly different than your company domain.  Perpetrators have been known to mimic domains by replacing the letter “m” with “rn” (company.com vs. cornpany.com), substituting the letter “l” with the number “1” (legitimatecompany.com vs. 1egitimatecompany.com), and reversing one or more letters (companycreative.com vs. companycraetive.com).


WHAT SHOULD I DO IF I AM A VICTIM OF A BEC/EAC SCAM?

Act quickly.  Contact your financial institution and local FBI office immediately.  It may be possible to freeze or reverse a fraudulent wire transfer if it is discovered quickly enough (usually within 24 hours).  Victims should also file a complaint, regardless of dollar loss, with www.ic3.gov or for BEC/EAC victims, bec.ic3.gov.

–          Keesal, Young & Logan Cyber Risk Management Group

This information has been prepared by Keesal, Young & Logan for informational purposes only and is not legal advice.  Transmission of the information is not intended to create, and receipt does not constitute, an attorney-client relationship between you and Keesal, Young & Logan.  You should not act upon this information without seeking professional counsel.