Don’t Fall Victim to the Business E-mail Compromise Scam

Don’t Fall Victim to the Business E-mail Compromise Scam

West African organized-crime rings have been targeting U.S. businesses with “business e-mail compromise” scams that are costing firms millions of dollars every year.

Losses to businesses that are targeted by these scams hit an all-time high in the first quarter of 2018, with $685 million in losses reported by 4,081 victims. That’s more than the amount lost for all of 2017 in such scams: $675 million.

The gangs send fake messages to businesses’ finance departments purporting to be a vendor for the company with an invoice requiring payment.

These criminals do research before targeting companies, meaning they go to company websites and look for the right people to send e-mails to. They may even pull annual reports and find what companies they do business with, and then spoof those accounts (meaning they impersonate other firms in the e-mails).

Some criminals will fake a CEO’s e-mail account and e-mail that company’s finance office ordering payment to a certain account. In one case cited by Dow Jones Newswires, a real estate attorney received an e-mail from the purported sellers of a local property and asking the lawyer to wire the proceeds of the sale to the criminals’ bank account. The lawyer wired $246,218.83 to the scammers.

The main scams

Money request via the compromised account of company exec

  1. A criminal compromises or spoofs the e-mail account of an executive, such as the CEO.
  2. The criminal sends a request for a wire transfer from the compromised account to an employee who is responsible for processing these requests and is subordinate to the executive, such as the controller.
  3. The controller submits a wire payment request, as per instructions from his or her “boss.”

Invoice from a supplier via a spoofed e-mail address

A fraudster compromises the e-mail of a business user employed by their target company; for example, someone in accounts payable. This is how it’s done:

  1. The criminal monitors e-mail of the business user, looking for vendor invoices.
  2. The criminal finds a legitimate invoice and modifies the beneficiary information, such as changing the routing number and account number to which payment is to be sent.
  3. The scammer then spoofs the vendor’s e-mail to submit the modified invoice.
  4. Accounts payable, recognizing the vendor name and services provided, processes the invoice and submits a wire request for payment. 

How to avoid getting burned

  • Confirm an e-mailed monetary request purportedly from a company executive by creating a new e-mail and entering their known e-mail address; don’t reply to the suspicious e-mail as it will likely go to the criminal.
  • The e-mails typically have a similar tone, urging secrecy and expedience. Set up your e-mail gateway to flag keywords such as “payment,” “urgent,” “sensitive” or “secret.”
  • Look for odd uses of the English language. Many of the scammers are foreigners abroad.
  • Although the late-stage e-mails used in these scams may not contain malware, malicious code is often used as part of an overall scheme to initially compromise an employee’s e-mail account. So, make sure you have an effective malware detection solution in place.
  • Register all domains that are slightly different from the actual company domain.
  • Scrutinize all e-mail requests for the transfer of funds to determine if the requests are out of the ordinary.
  • Ask your accounts payable staff to get to know the habits of your customers, including the details of, reasons behind, and the amount of payments.