SAFEChecks Advises on BEC Scam Avoidance

Cynthia Belzl, Operations Officer

Greg Litster of SAFEChecks has provided RBJ Software, Inc. some great information about scams that plague the world, otherwise known as Business Email Compromise (BEC).  Mr. Litster has authorized RBJ to share this information as posted below:

BEC Scams and Corporate Impostor Fraud
The Business Email Compromise (BEC)  is a sophisticated email scam in which the attacker assumes the role of the boss, a supervisor, a customer, or a vendor.  The purpose is to trick an employee at the victim organization into believing it is a legitimate communication.  The request in the email is to send funds that are directed into an account controlled by the scammer.  The most frequently impersonated person is the Chief Executive Officer (CEO) and the second, the Chief Financial Officer (CFO).
 
According to FBI statistics released in May 2017[1][1], BEC losses worldwide between October 2013 and December 2016 were $5.3 Billion.  There were 40,203 incidents adversely impacting 22,292 U.S. victims and 2,053 non-U.S. victims. 
 
To put this in perspective, losses worldwide between October 2013 and December 2014, BEC scams claimed 1,198 U.S. victims and 938 non-U.S. victims, with losses totaling $214 Million worldwide.  Between January 2015 and December 2016, losses increased by 2,370%[2][2]. This scam has been reported in all 50 states and in 131 countries. 
 
Based on the financial reporting data, the primary destinations of fraudulently transferred funds are Asian banks located in China and Hong Kong, followed by financial institutions in Europe.
 
There are five basic BEC scam scenarios:
 
Scenario 1: Businesses Working with Foreign Suppliers
A business that typically has a longstanding relationship with a supplier is requested to wire funds for an invoice payment to an alternate account. The request may be made via telephone, facsimile, or e-mail. If an e-mail is received, the subject will spoof the e-mail request so it appears legitimate.
 
Scenario 2: Executives Receiving or Initiating a Request for a Wire Transfer
The e-mail accounts of high-level business executives (Chief Executive Officer, Chief Financial Officer, Chief Technology Officer, etc.) are compromised. A request for a wire transfer from the compromised e-mail account is made to an employee within the company who is responsible for processing these requests.
 
Scenario 3: Business Contact Receives Message from Hacked E-mail Account
An employee of a business has his or her e-mail compromised. Requests for invoice payments to fraudster-controlled bank accounts are sent from this employee’s e-mail to multiple vendors. The business may not become aware of the fraudulent requests until a vendor calls asking for payment of an allegedly paid invoice.
 
Scenario 4: Business Executive and Attorney Impersonation
Victims report being contacted by fraudsters who often identify themselves as lawyers or representatives of law firms.  They claim to be handling confidential or time-sensitive matters. This contact may be made via either phone or e-mail. Victims may be pressured by the fraudster to act quickly or confidentially in handling the transfer of funds.
 
Scenario 5: W-2 Data Theft
Fraudulent requests for all employees' W-2s or personal employee information are sent to the human resources department, bookkeeping, or treasury. Victims  have fallen for this new scenario even after they were able to successfully avoid the traditional BEC money transfer scam. This data theft BEC scam first appeared just prior to the 2016 tax season.
 
Real Estate Sales Transactions
This scam targets all participants in real estate transactions, including buyers, sellers, agents, and lawyers. The FBI saw a 480% increase in the number of complaints in 2016 filed by title insurance companies that were the primary target of thi BEC scam. BEC perpetrators submit a fraudulent request for a change in payment type (from check to wire transfer), or a change from one account number to another account controlled by the scammer. The scammers are somehow able to monitor the real estate proceedings and time the change request just before the closing.
 
Evolution from the Original Scheme
The FBI saw a 50% increase in the number of complaints in 2016 filed by businesses working with international suppliers. The original scam described in 2014 has become more sophisticated.  For example, instead of requesting a change for one single payment, BEC perpetrators changed the remittance instructions to redirect ALL future invoice payments.  These fraudulent requests have been perpetrated using spoofed e-mail accounts or domains and replicated company letterhead.
 
Sophisticated cyber criminals infiltrate a company’s computer system and access its customer receivable database.  They then send bogus change-of-bank/change-of-remittance notifications to a few high-value customers. The fraudulent notices include specific instructions to remit payment to a new PO Box or to a new bank with updated wiring instructions that the scammer controls. 
 
They also access the company's supplier payable database and change the remittance instructions.  The payment to the supplier goes to the PO Box or account the scammer controls. 
 
Selecting Their Victims
While it is not completely known how BEC scammers select their victims, using social media is one obvious method. When companies issue social media posts that include the events that key executives will be attending or speaking, scammers know that executive will be out of the office. 
 
Social media tools such as LinkedIn can be used to identify individuals responsible for financial transactions.  The scammers learn the procedures or protocols for funds transfers within that business. This is sometimes achieved by hacking into the targeted company's computer system and observing communications among and between key individuals, as well as with their bank.
 
VoIP Phone Systems
Very few organizations know that VoIP phone systems are vulnerable to hacking.  If cyber criminals hack into the computer system, they can eavesdrop on any conversation, including conversations with the organization's bank.  They learn the organization's responses when the bank calls back to confirm outgoing wires. The hackers then send a fraudulent wire request from the infected computer after changing the vendor’s bank information to a bank account the hackers control. 
 
Immediately before sending the wire, the hackers reprogram the company's VoIP phone system to re-rout incoming calls from the bank to an accomplice who confirms the fraudulent wire.  For this reason, confirmation calls from the bank should be made to a cell phone; a best practice known as "out-of-band authentication."
 
The Case of a Hacked VoIP System
In a recent Los Angeles case, a company with a VoIP phone system was hacked.  Its bank had a policy of confirming foreign-bound wires and also re-confirming repetitive wires with a change-of-bank.  When the hackers requested a wire to a foreign supplier with a change-of-bank, the bank called to confirm the wire and the supplier's bank account change.  The VoIP phone system had been reprogrammed to re-rout the in-bound call from the bank to an accomplice to confirm the wire.  The accomplice confirmed the wire but was unable to give the correct responses to the change-of-bank questions. 
 
After not getting the correct responses, the banker hung up and called the company again. The call was again re-routed; the bank was again given an incorrect response to the questions. The banker hung up and called the company's CFO on his cell phone. The CFO stated that the wire was not authorized and that the company had not received any calls from the bank that morning.  An in-depth security inspection of the company's computer system revealed the hacking intrusion.  The bank’s policy of verifying bank changes on repetitive wires prevented the company from suffering a significant loss.  Because banks are not responsible for a customers' computer security, they have no liability for losses from a cyber-attack. 
 
An Escrow Company’s Email System is Hacked
A title insurance company emailed a preliminary title report to an escrow agent. The report included the title company's bank wiring instructions. The escrow agent’s email had been hacked, allowing the fraudster to open the title officer’s email attachment and alter the title company's bank information.  When the transaction closed, the escrow agent wired funds according to the altered instructions she had received. The funds went to the hacker and were not recovered.  The investigation that followed revealed the title company's original email and attachment were intact; the escrow company suffered a significant loss. 
 
These are prime examples of why buying a cyber-crime insurance policy makes sense.
 
Corporate Impostor Fraud: Imitating A Legitimate Business
Corporate Impostor Fraud is the unlawful use of a company’s name and information to obtain money, goods, or services.
 
In a case first reported in March 2017, a Lithuanian man stole $100 million from two US-based multinational technology companies.  He registered a company in Latvia which bore the same name as an Asian-based computer hardware manufacturer.  He opened accounts in its name at several banks using fraudulent documentation.  He then set up fake email accounts, and sent phishing emails to agents of the victim companies that regularly conducted multimillion-dollar transactions with the Asian company.  The scam lasted for two years.
.
The bogus emails, which purportedly were sent by employees of the Asian firm, were actually sent by the fraudster using email accounts that appeared authentic.  He gave instructions directing that payment for legitimate goods and services be sent to the accounts he had opened.  He then wired the money into different bank accounts around the world - including banks in Latvia, Cyprus, Slovakia, Lithuania, Hungary and Hong Kong. To deceive the banks and appear legitimate, he created bogus invoices, contracts, and letters.
 
Avoiding the Scam
If sophisticated multinational technology companies can get scammed for $100 million, what strategies should smaller organizations implement? Smaller companies are frequently targeted because they have fewer legal and financial defenses than large corporations. 
 
This especially includes family-owned businesses with strong credit ratings.  Such companies are easily identified through credit reporting agencies that willingly sell business credit reports that can be sorted based on financial strength.  Owners and officer’s names are often included in credit reports.  State government secretaries of state, and departments of corporations are also sources for owner and officer information. 
 
Prevention Strategies
There are numerous solutions for preventing various types of BEC scams and Corporate Impostor Fraud.  The overarching theme is awareness through education, proper payment protocols, and continual vigilance. Here are some techniques:
 
·       Education is critical.  Educate employees at all levels, starting with executives.  Getting executives' buy-in that instructs mid-level employees to confirm all urgent payment requests is crucial to avoiding losses. 
 
·       Youtube.com has an abundance of videos on various business scams including several describing BEC scams and prevention strategies.  One of the best is a 10-minute video by Guardian Analytics: https://www.youtube.com/watch?v=LfGaDd7-dlk.


·       Mid and lower-level employees are the primary targets of BEC scams. Employees should be instructed by senior management to challenge and confirm any urgent request to do something outside normal channels or standard company procedures.
 
·       All changes of remittance address, bank wiring, or ACH instructions must be verified with your vendor. CALL to verify any change of payment instructions.  Use the contact information on file.  Never call the phone number on the document that requested the change.  


·       Use dual controls (two computers, two passwords) when originating and releasing wire transfers or ACH payments.  Always release funds using a "clean" computer that is used only to connect to the bank. To ensure there are no viruses, that computer should never be used for email or web searches. 


·       Banks should verify any bank or account number change on outgoing repetitive wires by calling their clients using a trusted phone number. A bank in Texas implemented this protocol, and in the first months it stopped a BEC scam wire for $900,000 going to China and another wire for $1,400,000 to Eastern Europe. All banks have protocols to authenticate wire transfers; few have established protocols to monitor their customers' bank changes on repetitive outbound wires, but they should.


·       To prevent check fraud losses, use Positive Pay with Payee Name Match, and high security checks with at least 10 security features; more security features are better.  The checks I designed for SafeChecks have never been replicated or used in a scam, in over 20 years.


Because nothing is 100% secure, buy check fraud and cyber crime insurance. 
 
 
Common BEC Scam Strategies

  • Spoofing legitimate email addresses, using an address similar to the targeted business’ address, including PO Boxes. 
  • Stressing urgency, requesting that the funds transfer be done “ASAP”.
  • Impersonating the CEO or CFO, who is in a meeting and cannot be interrupted.
  • Sending fraudulent e-mails when executives are traveling and the request can't be verified.
  • Using the well-known and frequently-used phrase “Sent from my iPad” instead of a corporate email signature. This trick is particularly effective because it "excuses" poor English, misspellings, or lack of a legitimate email signature.  It also helps reinforce the sense of urgency because if it wasn't critical, the sender would have waited until he/she was in the office.

Click here to view the FBI Public Service Announcement on BEC

Click here to view a youtube video further explaining the BEC scam