Business Email Compromise Scam

This week past week the US-CERT, a unit within Department of Homeland Security, issued a Fraud Alert on an ongoing Business Email Compromise Scam.

Many instances have been reported where the fraudsters wait until the CEO/CFO is traveling before sending wire transfer instructions, making it more likely that the executive would use email for this request and also making it more difficult to verify. In many instances, this email has indicated that this is a confidential or urgent matter and must not be discussed with anyone else in the company.

A finance or accounting employee within the company may receive an email like this:

—– original message —–

From: Jane Doe [mailto:jdoe@companyx.com]
Sent: Monday, June 15, 2015 12:12 AM
To: Jill Smith [mailto:jsmith@companyx.com]
Subject: Requests:
Importance: High
Sensitivity: Confidential

Hello Jill,

I need to do a wire transfer. Get back to me for the beneficiary details.

Thanks,

Jane Doe/CFO

—– end message —–

The finance or accounting employee will receive another message with the beneficiary details and wire instructions. This scam relies on the fact that 1) the CFO/CEO is traveling and may be unreachable and 2) it is a regular job function of the targeted finance or accounting person to send wires. Ultimately this may be a standard type of request this employee may receive.

How to Spot BCE and Phishing Emails:

  • Poor Grammar/Spelling: Phishing emails typically contain grammatical errors and misspelled words. These messages may be translated from other languages. The date formatting can also be a tipoff. Over the years, the bad guys are doing a better job at this, so proper grammar and spelling doesn’t always mean an email is legitimate.
  • Email Format: A majority of legitimate messages will be written with HTML. You will typically see a mix of text and images. A poorly constructed phishing email may show an absence of images. If the body of an email is only an image as text, it is possible that it is illegitimate. If an email is all in plain text and is not what you would expect from the sender it is best to contact the sender via a separate email or phone call.
  • Urgent Request: It’s not unusual to get an urgent request as part of your day-to-day responsibility however one of the tactics of the scam is that this is an urgent, sensitive, and confidential matter that should not be discussed with anyone else. If this is out of the ordinary should be a red flag, and again it is best to contact the sender directly via a separate email or a phone call.

The FBI, USSS, and Financial Services Information Sharing and Analysis Center (FS-ISAC) recommend the following risk mitigation.

The key to reducing the risk from BEC (Business E-mail Compromise) is to understand the criminals’ techniques and deploy effective payment risk mitigation processes. There are various methods to reduce the risk of falling victim to this scam and subsequently executing a fraudulent wire transfer.  Some of these methods include:

  • Verifying a change in payment instructions to a vendor or supplier by calling to verbally confirm the request (the phone number should not come from the electronic communication, but should instead be taken from a known contact list for that vendor)
  • Maintain a file, preferably in non-electronic form, of vendor contact information for those who are authorized to approve changes in payment instructions
  • Limit the number of employees within a business who have the authority to approve and conduct wire transfers

Safeguarding the Wire Transfer Process:

Use an alternative method of communication to verify wire transfer requests that are seemingly coming from executives. This may include calling the executive to obtain verbal verification, establishing a phone Personal Identification Number (PIN) to verify the executive’s identity, or sending the executive via text message a one-time code and a phone number to call in order to confirm the wire transfer request. When the staff at a victim business is contacted by the bank to verify the wire transfer, the staff should delay the transaction until additional verifications can be performed.

Consider requiring dual approval for any wire transfer request involving:

  • A dollar amount over a specific threshold
  • Trading partners who have not been previously added to a “white list” of approved trading partners to receive wire payments
  • Any new trading partners
  • New bank and account numbers for current trading partners
  • Wire transfers to countries outside of the normal trading patterns