Business Email Compromise (BEC) on the Rise - ERAI Members' emails infiltrated resulting in losses

Anne-Liese Heinichen
ERAI, Inc.

ERAI has recently reported multiple cases of suppliers' emails being hijacked or infiltrated resulting in multiple Buyers losing over $35,000.00 in just over one week alone.

According to federal investigators, this is a common swindle that targets companies who routinely conduct international transactions through wire transfer payments. Business email compromise, or BEC, has been a growing concern for the Federal Bureau of Investigation (FBI) and the Internet Crime Complaint Center (IC3) who have recently released notices advising companies to exercise due diligence when making payments, even to trusted and recurring suppliers with whom companies have long-standing relationships.

The three cases of business email compromise seen by ERAI were:

Case 1
A buyer placed an order with a US-based supplier. Unbeknownst to the supplier, their email account had been infiltrated and communications were being intercepted. The imposter commenced communications with the buyer and instructed the buyer to send payment via Western Union to the United Kingdom (note: the original proforma invoice indicated wire transfer in advance or credit card terms). The buyer rendered payment via Western Union. When the buyer inquired about the whereabouts of their product, the supplier advised the buyer that payment had not been received. When the buyer provided copies of email communications allegedly from the supplier, the supplier realized their email account had been compromised.

Case 2
A buyer placed an order with a supplier. Before the proforma invoice was generated, the imposter contacted the buyer instructing them to issue payment via Western Union. The buyer issued payment via Western Union and the funds were picked up by the imposter before the buyer realized they had been scammed.

Case 3
Two ERAI Members, who had a long-standing business relationship, entered into an agreement for two orders which allowed the buyer to test/inspect the product prior to payment being issued. After the first shipment was delivered, an imposter contacted the buyer stating a new bank account had been opened and requesting payment via wire transfer. The buyer replied to the email and confirmed the bank change and advised payment was released. A month later, the buyer again received a payment request for a second order; without question, the buyer released payment. Within an hour of sending the second payment, the buyer was contacted by the seller indicating their email account had been compromised and warned the buyer to cease from any further transactions. The buyer attempted to recall both wires; however, the buyer's bank advised them that as soon as funds were deposited into the fraudulent account, the monies were withdrawn.

These three cases illustrated a common scheme commonly referred to by law enforcement as "The Bogus Invoice Scheme," "The Supplier Swindle," and "Invoice Modification Scheme." This scheme involves not only email spoofing, but cases involving fraudulent facsimiles and phone calls have been documented. Many times, when emails have been spoofed/hacked/infiltrated, the emails have involved mass email providers such as Yahoo, Gmail, AOL and Hotmail; although there have been reports of scammers accessing company's internal email servers.


Tips to avoid becoming a victim of business email compromise:
  1. Employee training and awareness: Educate your employees and share these cases with your organization, from top to bottom. Make everyone aware of cyber-crime and instruct employees to delete spam emails.
  2. Pay attention to the small details: When communicating with all of your business partners (including companies with which you have a long-standing relationship), pay attention to the general language and tone, look for spelling mistake and double check email addresses. These recent incidents have shown that the fraudsters do their research and do not necessarily write badly or with grammar mistakes.
  3. Be wary of companies requesting different methods of payment: If payment instructions change, verify them with the company you are dealing with verbally.
  4. Avoid free web-based email accounts: Establish and use your own email domain.
  5. Do not use the "Reply" button: Type in the recipient's email address yourself or select the name from existing contacts.
  6. Establish a call-back protocol: Make it part of your standard operating procedure to call suppliers and verify banking information and account numbers prior to sending payment.
  7. Require two separate individuals to authorize wires/payments: Establish who and how payments are authorized.
  8. Enable two-factor authentication for emails: Hardware and software 2FA systems can provide an IT solution.
Sources:

http://krebsonsecurity.com/2015/01/fbi-businesses-lost-215m-to-email-scams/

http://www.csoonline.com/article/2874166/identity-theft-prevention/fbi-and-irs-warn-of-pervasive-maddening-business-consumer-scams.html#tk.rss_news

http://www.networkworld.com/article/2393048/malware-cybercrime/fbi-warns-businesses-man-in-the-e-mail-scam-escalating.html

Additional Resources:

http://www.onguardonline.gov – The Federal Trade Commission's website to help you be safe, secure and responsible online.

http://www.ic3.gov - The Internet Crime Complaint Center (IC3), a partnership between the Federal Bureau of Investigation (FBI) and the National White Collar Crime Center (NW3C), accepts online Internet crime complaints from either the actual victim or from a third party to the complainant.

http://www.nw3c.org - NW3C provides a nationwide support system for law enforcement and regulatory agencies involved in the prevention, investigation and prosecution of economic and high-tech crime.



SEE MORE BLOG ENTRIES