Business Email Compromise: A small business killer
In May of 2018 the Federal Bureau of Investigation (FBI) released the IC3 2017 Internet Crime Report. The IC3 stands for the Internet Crimes Complaint Center. It was established in 2000 and has received a total of 4,063,933 complaints since its inception. The IC3 is a clearinghouse for criminal Internet activity and receives over 800 complaints a day. In 2017 the IC3 reported that complainants lost over $1.42 billion.
Not surprisingly the Business Email Compromise scam, known as BEC for short, is at the top of the list for reported losses. In 2017 there were 15,690 complaints made to the IC3 with $676 Million in losses. These numbers are most likely much higher than this as it is well known that many cyber crimes are either not reported or simply reported to local authorities. In a public service announcement released by the FBI in May of 2017 they warned that this scam has cost victims over $5 billion dollars between 2013 and 2017.
BEC scammers target small, medium and large businesses that regularly conduct large wire transfers. Companies who deal with foreign suppliers, real estate companies and construction companies are typical companies who are targeted.
Businesses in Utah are not immune to the BEC scam. The IC3 reports that in 2017, 150 Utah businesses reported cumulative losses of $5 million.
How does the scam work?
The IC3 has identified five distinct scenarios on how the scam works but in general the scam starts with a suspect compromising an email account within the victim organization. The compromise might simply be a weak password on an account, which is then cracked by brute force. Credentials may also be obtained through phishing techniques like the sending of email pretending to be from within the organization in order to trick individuals to reveal credentials.
Once email credentials are obtained the suspect will look within the compromised account for previous and current contracts or impending contracts or wire transfers. They will also obtain important intelligence about the roles of different personnel within the company, how they address their clients and what their signature line looks like.
When the suspect identifies a pending transaction within the email account they will then impersonate the recipient of the pending wire transfer. They typically do this by simply creating or “spoofing” an email account that is very similar to the recipient. So for example if the intended recipient’s email address was James@Isellcars.com the suspect would create a similar email account by simply either changing the top level domain to .net or .org or he might simply change a letter or add a number making the address look the same upon a quick glance. Changing the “I” to a lower case “L” would look like James@lsellcars.com, which is almost identical to the first email address. There are a variety of tricks they use to make any email address look like the same one they’re impersonating.
After the email account has been created the suspect will then copy the email thread referencing the pending wire transfer, draft an email using the spoofed email account and paste the thread into the new email conversation making it look like it’s part of the original email between the two parties. The suspect will then say they need to provide new wiring instructions because of some unforeseen change. The wire transfer is completed and the money is then typically sent to an unwitting actor who is the victim of a romance scam.
The unwitting has been tricked into accepting wire transfers which they believe are their loved one’s legitimate business dealings. These dealings are typically anything from a bogus inheritance, a real estate business or the safeguarding of funds from a money hungry ex-spouse. These funds are then either withdrawn and sent via MoneyGram or Western Union or simply re-wired into other unwitting’s accounts until the funds end up overseas in the fraudster’s account.
Difficulties of Investigating the BEC
The BEC is difficult to investigate and it is extremely difficult to recover the wired funds. The biggest reason is that the fraudsters use multiple bank accounts and move the money very quickly. Law Enforcement is required in most cases to obtain legal process to identify the recipient of the wire transfer and any subsequent transfers. A best case scenario is that this process delays the investigation at least several weeks and at times months. The funds are quickly transferred overseas and into uncooperative jurisdictions. When recipients of the wire transfer are identified and interviewed they have very little information about the subject they received the wire transfer from.
Another major obstacle for investigating the BEC is that local law enforcement are not able to make requests of foreign governments and their law enforcement counterparts. There are, however, Mutual Legal Assistance Treaties (MLAT) between the United States federal government and many cooperative countries. These treaties allow for the sharing and exchange of information for the purpose of enforcing the law. A partnership with a federal agency like the Federal Bureau of Investigation (FBI) is one of the best ways to be able to make requests and obtain valuable information from a foreign country.
FBI Cyber Task Force
In 2013 the Utah Department of Public Safety (DPS) partnered with the FBI and placed three Agents on the FBI Cyber Task Force. The task force investigates BEC’s and other financially motivated computer intrusions and cyber enabled Internet fraud. This partnership helped DPS Agents on the task force successfully investigate and arrest two suspects in a BEC of a small Utah business that lost $60,000 in a fraudulent wire transfer.
In this specific BEC an accountant received a spoofed email from what appeared to be his CEO who was currently out of town. The “CEO” requested a wire be sent to a supplier for products they normally use. The accountant wired approximately $60,000.00 to a money mule in the Atlanta, GA area. That money was quickly withdrawn, laundered and is now unfortunately gone. Over the course of the investigation two involved subjects were identified, indicted, arrested and brought to Utah for prosecution. The investigation has also uncovered ties to Nigerian fraudsters. Through this investigation other victims of this BEC fraud ring have been identified. As of right now the total loss is in the hundreds of thousands.
How can you protect your business from BEC attacks?
There are several simple things that you can do to prevent your business from losing hundreds of thousands of dollars from this scam. First and foremost make sure the passwords for email accounts in your business are complex and changed regularly. Passwords should be at least 8-10 characters long using upper and lower case letters, numbers and special characters. It is safer to use a passphrase of multiple words versus one simple dictionary word which could be brute forced in seconds. Also never reuse a password. Employees should have a unique password for every login they have. If a login and password are compromised in a data breach, fraudsters could try using that login and password on anyone of your accounts. See why here.
The next thing that can prevent a BEC is to pay close attention to any changes to wire instructions that are made mid negotiation or transaction. BEC fraudsters will insert themselves in the middle of the transaction and request funds be sent to a different bank. This should be a huge red flag and an immediate phone call should be made to the recipient to confirm the new banking instructions.
A simple policy to make telephone contact with the recipient prior to sending a wire could prevent a majority of BEC cases. This may or may not be feasible depending on how many wire transfers your business conducts in a day or if you do international wire transfers and there is a language barrier between sender and recipient. But if you consistently do domestic wire transfers a simple phone call to the recipient would eliminate all headaches that would follow a BEC.
When and where should I report a Business Email Compromise?
The sooner an incident is reported the better. Funds from a domestic wire transfer can be depleted within hours of the transfer. International wire transfers have a good chance of being stopped if they are reported within 72 hours.
Contact the Department of Public Safety at (833) 377-7233 or the Salt Lake City FBI field office at (801) 579-1400.