The FBI has recently issued a renewed warning about what it calls the Business Email Compromise, a scam being used against companies that use wire transfers for payments of bills of foreign suppliers.
Like so many scams and security breaches, from that of Target to the recently discovered data breach at the Office of Personnel Management (OPM), this scam generally starts with socially engineered phishing. Phishing occurs when someone receives an email that lures the person receiving the email into downloading an attachment with malware or clicking on a link within the email that automatically downloads malware that enables the hacker to steal all of the information from the computer of the unwitting receiver of the email.
Phishing emails can easily be made to appear as if they are coming from legitimate sources, such as banks, government agencies, insurance companies or others with which the targeted companies do business. It takes little talent to create a counterfeit logo on an email to make the email look official.
In one version of the Business Email Compromise scam, the scammers steal information through the malware downloaded through the phishing emails that enables them to appear to be an executive with the targeted company or a third-party vendor of the company who instructs someone within the company by a phone call or email to wire money to a bank account purporting to be for a legitimate purpose or even for payment of a third party vendor with which the targeted company already has an established business relationship. In this case, the wired funds may then go through several money laundering transfers before ending up, according to the FBI, at banks in China or Hong Kong.
The Business Email Compromise is a major problem for businesses around the world and according to David Pollino, the Fraud Prevention Officer at Bank of the West, it is not just large companies that are being victims to this scam. As smaller and medium size companies expand both domestically and internationally, they too are becoming targets of this scam. Worldwide losses attributed to this scam between October 2013 and August of 2014 totaled more than 1.2 billion dollars.
In one of the more recent incarnations of this scam, the criminals posing as lawyers contact targeted company executives claiming that they are handling important, confidential or extremely time-sensitive matters and use psychological pressure to trick the company executive into wiring the funds to the scammers. Scam artists often have a knowledge of psychology about which Freud would have been envious and armed with the information about the targeted company and its employees that they have gathered through the malware downloaded through earlier phishing emails, convincing the targeted company executive to authorize an immediate wire transfer of funds becomes an easy task.
In another version of this scam, using information harvested from the company’s computers through malware the scammers will send an email invoice that mimics that of a legitimate third party contractor with which the targeted company does business. However, in this case the company is directed to wire the money to a new bank account. Such billing would take intense scrutiny to notice any differences that would alert the targeted company that this is a scam.
In yet another variation of this scam, an employee with the authority to wire company funds will receive an email that appears to come from a high ranking executive of the company, instructing the employee to wire funds to the bank account of the scammer. In this case, the email may actually come from the account of the CFO or other officer from whom the email appears to originate because the scammers have managed through an initial phishing email to take over the email account of the high ranking executive.
In a fourth version of this scam, the email of someone within the targeted company who sends out bills and invoices to other companies is taken over and used to send out to other companies legitimate appearing invoices that have been changed to instruct that payment be made by wire to a newly designated bank account. Again it would take intense scrutiny to notice anything wrong with this phony invoice which is sent from someone with the authority to send such an invoice.
So what should companies do to protect themselves from these scams?
David Pollino suggests that companies develop an approval process for large transactions that requires the approval of two or more executives for large wire transfers. He also urges companies to use multiple means of communications to verify that requested wire transfers are legitimate. If the initial request came in through an email, use the telephone to confirm at a number that is known to be correct that the invoice is legitimate and if the initial request came by telephone, use an email address known to be legitimate to confirm the invoice.
Of course, one of the best things that companies and all of us as individuals can do to protect ourselves from so many phishing related scams is to constantly remind ourselves not to click on any link in an email or text message unless we have confirmed that it is legitimate. Trust me, you can’t trust anyone.