The FBI recently announced an increase in fraudulent complaints filed by business owners. Business owners have been receiving fraudulent wire transfer requests that appear to be legitimate. Often the scam is targeted at high level employees who have some knowledge of the business’ internal payment process and supplier information. There are enough reported incidents that the FBI has named this scam Business E-mail Compromise (BEC).
Staff often assume any request from a senior officer must be done without question. This can lead to problems if your staff isn’t trained and encouraged to ask about issues that “just don’t seem right”.
Most likely a number of criminals are acting independently on a relatively easy way to scam a business. The crook may have previously hacked into a business’ database for information, or purchased stolen data from one of the dark market sites.
One of the latest versions of BEC is a false email supposedly from a vendor sent to a CEO or CFO. The request is for a wire transfer to be sent to pay an invoice. Often funds are to be sent to a foreign country.
In another variation, the request is sent to an employee that is known to handle invoice payments. The request is from a senior manager’s compromised email account, so the payment employee assumes it is a legitimate request from within the organization. In yet other cases, the wire transfer request is sent directly to the bank from the compromised senior manager’s email account, so the bank thinks it is an authorized request.
One thing different about these scam emails is they appear professional – wording and grammar is correct for the context. The dollar amounts are in line with the business’ normal wire transfer patterns. And many of the victims use an open source email service.
What to Do
Review your invoice payment procedures to make sure you have sufficient double checks in place. Share stories with your staff so they understand why they truly must follow all the procedures, even when they think they know all their vendors and bank partners.
Talk with your bank about dual authentication measures for wire transfers. Invoke the strictest measures they offer. As a business, your fraudulently moved funds may not be reimbursed as consumer funds might be. Know the details so you and your staff make thoughtful decisions.
Find out from your vendors what their safeguards are. Arrange a secure method to confirm invoices and payments when there is a question.
If you are a victim, report it to Internet Crime Complaint Center (IC3). The more examples of victims the government has, the easier it is to track down the source and stop the criminals.
Buy a company domain name and use a pay service to host your email. There are lots of well-priced options in this commodity business now. Free services are just not secure enough in many cases.
Do not use “reply” option for payment or sensitive responses. Use “forward” option and type in the addressee’s actual address from your contacts list (do not cut and paste the address from the sender’s email). Some fraudulent addresses appear to be the same as the real address at first glance.