Businesses and other organizations have lost more than $3 billion to business email compromise scams (BEC), according to study released by the Better Business Bureau (BBB).
“This serious and growing fraud has tripled over the last three years, jumping 50 percent in the first three months of 2019 compared to the same period in 2018,” the BBB reports. “In 2018, 80 percent of businesses received at least one of these emails. From 2016 through May 2019, the Internet Crime Complaint Center (IC3) received 58,571 complaints on BEC fraud, with reported losses in the U.S. totaling $3.1 billion. BBB’s report finds that the average BEC loss involving wire transfers is $35,000, while the average loss involving gift cards is $1,000 to $2,000. However, the cost to businesses can be much higher: Google and Facebook lost more than $100 million to BEC fraud before the perpetrator was arrested in 2017.”
BEC fraud is an email phishing scam that typically targets people who pay bills in businesses, government and nonprofit organizations. It affects both big and small organizations, and it has resulted in more losses than any other type of fraud in the U.S., according to the Federal Bureau of Investigations (FBI). BEC leads to wire transfer fraud. According to the FBI, there were real estate wire fraud resulted in losses of $149 million from 11,300 people in 2018.
To put this into context, the average closing scam nets criminals $130,000 versus the average bank robbery collecting $3,816 and ransomware $722. These numbers are just the tip of the iceberg. The FBI estimates that only 12-15 percent of these crimes are reported to law enforcement.
The FBI recognizes at least six types of activity as BEC or email account compromise (EAC) fraud, which differ based on who appears to be the email sender:
A Realtor or title company redirecting proceeds from a real estate sale into a new account. These targeted email phishing scams are sometimes called “spear phishing.”
a chief executive officer (CEO) asking the CFO to wire money to someone
a vendor or supplier requesting a change in invoice payment
executives requesting copies of employee tax information
senior employees seeking to have their pay deposited into a new bank account
an employer or clergyman asking the recipient to buy gift cards on their behalf
A Realtor’s Story
A real estate agent in Edwardsville, Ill., told the BBB that on the closing date for a house she helped sell, the buyer received an email appearing to come from the agent, requesting that the buyer wire funds to a specified account. This was contrary to the agent’s instructions that the buyer bring a certified check to the closing. While the agent did not send the email nor was it from her true email address, the amount requested was the actual closing price of the house. An attached PDF showed the letterhead of the real company handling the transaction. The account to which the money was to be wired was fake. The buyer did not comply and brought a certified check to the closing. Since the agent reported the incident to her manager and the title company, her company now warns clients to call the title company or real estate agent if they receive instructions to wire real estate closing money.
Active efforts are being made to fight BEC fraud. In August, 80 defendants, believed to be responsible for at least $6 million in losses, were indicted in Los Angeles for BEC fraud in a major effort led by the FBI. In September, a worldwide law enforcement effort yielded 74 arrests for BEC-related fraud in the U.S., 167 in Nigeria and 40 in several other countries, with nearly $3.7 million in assets seized from the fraudsters. The U.S. Justice Department has brought at least 22 cases in the last three years, many as part of a collective enforcement effort dubbed “Operation Wire Wire,” named for BEC fraud’s common name among Nigerian fraudsters.
Email Not Coming From the Person Listed in the “From” Line
According to the BBB, standard internet settings allow those sending email to have any name appear in the “from” line. So, fraudsters can simply send an email that says it’s from Eddie Alias in the inbox. However, if one looks closely, or hits reply, you can see that it’s really from IMAfraud@yahoo.com. A study by AGARI found that 82 percent of the time BEC gangs simply use display name deception. These tactics may be more effective when people are reading emails on their phones or on other devices, where the screen is small and the actual email is hard to read. So when an email comes “from” a superior or a trusted partner, there is a risk that people will not look closely, especially if it is marked urgent and the employee is anxious to please the supposed sender. One suggestion is to “forward” the email and type in the email of the known contact, rather than replying.
Fraudulent Email Domain
Fraudsters also will often set up an email domain that is similar to the real one. Fraudsters may register the domain name “exarnple.com.” Note, that unless you look closely, the eye reads the “r” and the “n” as an “m.” These emails may come from email@example.com, and those getting the email may not recognize it is not from the title of “example.com.”
Access to Email Accounts
BEC emails may come from the email account of a legit business. Fraudsters can simply log in to someone else’s email account if they already have their username and password. Usernames and password combinations are frequently obtained through phishing attacks and are readily available for sale on the internet, often on the dark web. The BBB reports that getting access to someone else’s email seems to occur in only a small percentage of BEC cases, but the advantages are very large. It allows fraudsters to read all of the email and learn about ongoing transactions, such as real estate closings.
In its report, the BBB says that with the introduction of Google Docs and DocuSign, important papers may come as email attachments. Logging into bogus phishing emails and opening those documents can allow fraudsters to steal email login credentials or release malicious malware programs.
The BBB report recommends:
Businesses and other organizations to take technical precautions such as multifactor authentication for email logins and other changes in email settings, along with verifying changes in information about customers, employees or vendors. The report also urges culture and training changes in organizations – namely, confirming requests by phone before acting and training all employees in internet security.
Email system providers should consider enabling additional features to help prevent BEC fraud, including default settings with more security.
Law enforcement should recognize that BEC fraud gangs engage in many varieties of the fraud at the same time and focus on the key actors in the frauds, not just supporting actors such as money mules.
What should you do if your organization is hit by wire transfer fraud? Check out ALTA’s Rapid Response Plan for Wire Fraud Incidents. ALTA also has developed a checklist for outgoing wires.
Click on the link below to read the complete article online at ALTA.org