The Federal Bureau of Investigation (FBI) issued recently a warning regarding a new e-mail fraud campaign targeting businesses. The sophisticated scam, known as the Business E-Mail Compromise (BEC), reportedly has targeted more than 2,000 victims and caused more than $2 million in losses thus far.
The scammers specifically target businesses working with foreign suppliers and/or businesses that regularly perform wire transfer payments. To date, the FBI has received complaints from every state in the United States and across a range of industries.
There are several versions of the BEC fraud. In one common scam, a business, which often has a long-standing relationship with a supplier, is asked to wire funds for invoice payment to an alternate, fraudulent account. Another scam involves hacking into the e-mail accounts of high-level business executives and using the compromised account to send a wire transfer request to a second employee within the company who is normally responsible for processing these requests or directly to the financial institution.
According to the FBI, the perpetrators of the BEC scam are fairly sophisticated and, therefore, more difficult to detect. The e-mail requests for a wire transfer are well written and specific to the business being victimized. In addition, the dollar amounts requested are similar to normal business transaction amounts.
Prior to initiating the fraud, the perpetrators monitor their selected victims to determine the individuals and protocol necessary to perform wire transfers within a specific business environment. They may also send “phishing” e-mails to obtain additional details regarding business or individual being targeted (e.g., name, travel dates, etc.).
The BEC scam can not only cause financial losses but also harm business relations. With this in mind, below are several tips to help avoid falling prey:
- Avoid using free, web-based e-mail accounts to conduct business.
- Beware of what your business posts to social media and company websites, especially job duties/descriptions, hierarchal information, and out of office details.
- Train employees not to open e-mail from unknown senders, click on links in the e-mail, or open suspect attachments.
- Do not use the “Reply” option to respond to any business e-mails. Instead, use the “Forward” option and either type in the correct e-mail address or select it from the e-mail address book to ensure the intended recipient’s correct e-mail address is used.
- Implement comprehensive written policies regarding wire transfer requests that specifically address how to handle requests to change a wire recipient’s account information, requests to add a new recipient, or requests that take place outside of the normal channels. Add a training component to help ensure employee compliance.
If you have any questions about this post or would like assistance with your data security efforts, please contact me or the Scarinci Hollenbeck attorney with whom you work. To learn how Scarinci Hollenbeck can be of assistance, please visit Scarinci Hollenbeck Cyber Security and Data Protection Law Practice.