Extent of the Problem
Since 2013, when the FBI began tracking an emerging financial cyber threat called business e-mail compromise (BEC), organized crime groups have targeted large and small companies and organizations in every U.S. state and more than 100 countries around the world—from non-profits and well-known corporations to churches and school systems. Losses are in the billions of dollars and climbing.
At its heart, BEC relies on the oldest trick in the con artist’s handbook: deception. But the level of sophistication in this multifaceted global fraud is unprecedented, according to law enforcement officials, and professional businesspeople continue to fall victim to the scheme.
Although the perpetrators of BEC—also known as CEO impersonation—use a variety of tactics to fool their victims, a common scheme involves the criminal group gaining access to a company’s network through a spear-phishing attack and the use of malware. Undetected, they may spend weeks or months studying the organization’s vendors, billing systems, and the CEO’s style of e-mail communication and even his or her travel schedule.
“The best way to avoid being exploited is to verify the authenticity of requests to send money by walking into the CEO’s office or speaking to him or her directly on the phone. Don’t rely on e-mail alone.”
Martin Licciardo, special agent, FBI Washington Field Office
When the time is right, often when the CEO is away from the office, the scammers send a bogus e-mail from the CEO to a targeted employee in the finance office—a bookkeeper, accountant, controller, or chief financial officer. A request is made for an immediate wire transfer, usually to a trusted vendor. The targeted employee believes he is sending money to a familiar account, just as he has done in the past. But the account numbers are slightly different, and the transfer of what might be tens or hundreds of thousands of dollars ends up in a different account controlled by the criminal group.
If the fraud is not discovered in time, the money is hard to recover, thanks to the criminal group’s use of laundering techniques and “money mules” worldwide that drain the funds into other accounts that are difficult to trace.
“The ability of these criminal groups to compromise legitimate business e-mail accounts is staggering,” Licciardo said. “They are experts at deception. The FBI takes the BEC threat very seriously,” he added, “and we are working with our international partners to identify these perpetrators and dismantle their organizations.”
$14,000,000 / Month: The FBI’s estimate of known Business Email Compromise losses in Los Angeles.
Work With Your Bank
- Out-of-Band confirmation
- Dual control on wires
- Transaction and Login Alerts
- Check with your bank on other available controls
- Establish clear procedures to follow in the event of suspected fraud
Online Fraud Prevention Controls
- If possible, use a dedicated workstation(s) for on-line banking. Do not use it for browsing or email. Keep it patched and updated.
- Confirm – by voice or other out-of-band means – all requests to change payee information
- Confirm – by voice or other out-of-band means – all requests to transfer funds
Distrust and Caution Are the Parents of Security … Benjamin Franklin
SecureTheVillage Webinar: Online Bank Fraud – How to Avoid Being a Victim
Webinar Deck (PDF): Online Bank Fraud – How to Avoid Being a Victim
April 1, 2018: Stan’s Guest: Barbara Watkins, Senior Vice President Treasury Management, City National Bank