Businesses Beware of the “Business Email Compromise” (B.E.C.)

Phishing scams used to primarily seek out individuals as their victims, but more recently, these e-mail wire-transfer scams have begun targeting businesses of all shapes and sizes: public and private, larger corporations to smaller businesses, techs to non-profits. Costs to victims continue to rise as more than $1 billion
in losses was reported just in the past 18 months (according to the U.S. Secret Service). The FBI has received worldwide reports from business email compromise victims from every U.S. state and 79 countries where the schemes where perpetrated pointing to an increase in criminal enterprises groups of people coordinating efforts and targeting businesses as opposed to a single fraudster acting alone. Since January 2015, the FBI has seen a “270 percent increase in identified victims and exposed losses” (FBI Press Release, Mar. 29, 2016).

phishingPhishing, as The Federal Trade Commission defines it, is “ internet fraudsters impersonating a business to trick you into giving out your personal or financial information.” Typically, the phishing schemes targeting individuals use emails or texts that appear to be from companies or organizations that the intended victim does business with. With coyly-worded and sometimes even threatening requests for information, the scammers play on an individual’s fear over a potential security breach or costly financial mistake: “we suspect an unauthorized transaction on your account, click here….”’; “we could not verify your account, update here…”; “our records show your account was overcharged, and we want to refund you; call….”

Now in an attempt to catch bigger fish, the scammers have turned their phishing efforts more aggressively towards American businesses resulting in major financial losses. B.E.C is also known as “CEO fraud” or “the man in the middle” scheme focuses on businesses that routinely use wire-transfers to make payments. Using “spoof” emails imitating known business partnerships, the scammers request wire-transfers for what are usually legitimate invoices. To create the fake vendor emails and phony emails from senior level executives, the fraudsters extensively research a company and its employees using public information or information gathered via hacking email accounts. Knowing a company’s money handling protocols enables the scammers to target key employees and even CFOs. Companies doing business internationally are particularly targeted as they most often use the wire transfer payment method.

These B.E.C. scams have five versions, according to the FBI:

“Bogus Invoice Scheme”
Posing as a legitimate and known supplier of targeted business victim, fraudster requests a wire fund to pay for an invoice directed to an alternative/fraudulent account. Request may be made via telephone, fax or email. Email “spoofs” or fax requests so closely mimic the legitimate suppliers that alternative names for this fraud are “the supplier swindle,” or “invoice modification scheme.”

Phishing - Fraud - Scam - iStock_000061463260_481 × 480“Masquerading” or “CEO fraud”
Hacking email accounts of high-level executives, scammers make requests from the compromised CFO, CTO, or CEO accounts for a money-handling employee to make a wire transfer. Or, the fraudster makes the request directly to the financial institution with urgent instructions to send funds to another bank. “CEO fraud,” 
business executive scam,” and “financial industry wire frauds” are all used to refer to this kind of B.E.C.

Employee Email Hack/Fake Invoices to Venders
Hacking personal accounts of company employees, identifying vendors from contact lists, and sending targeted vendors invoices for payments directed to “fraudulently-controlled bank accounts”; fraud can remain undetected until contacted by vendors following-up on payments made.

Urgent Request for Funds (Confidential or Time-sensitive Legal Issues)
Contacting victims (company employees), fraud perpetrator, identifying as a lawyer or representative of a law firm, calls or emails the victim and pressures for money to act quickly and secretly in transferring the money. May be timed to coincide with close of international financial institutions or end of business day or work week.

In time for Tax Season: W-2/PII (Personally Identifiable Information) Request
Spoofing a business executive’s email and sending emails to bookkeeping, auditing dept., or HR (the targeted recipients), hackers request all Wage or Tax Statement Info (W-2) forms or company list of PII. Some victims recalled these requests prior to a B.E.C attack.

Subscribe to this blog in the sidebar to the right to be notified when part 2 of this blog series is released.