ONE OF THE LARGEST CYBERCRIME threats in the world is called the business email compromise scheme (BEC), also known as cyber-enabled financial fraud. This attack is carried out by compromising legitimate personal and business email accounts through old-fashioned social engineering, computer intrusion techniques, and stealing usernames and passwords.
BEC criminals trick end users into either wiring them money or sending them names, dates of birth, and Social Security numbers. According to the FBI’s Internet Crime Complaint Center (IC3), the BEC scam continues to grow, evolve, and target end users of all varieties. Since the FBI started formally keeping track of BEC and its variant, email account compromise (EAC), there have been reported losses of $12 billion through June 2018.
Foreign citizens perpetrated many of the schemes, which originated in Nigeria but have since spread across the globe. Reports indicate that fraudulent transfers have been sent to one hundred and fifteen countries, with the majority going to Asian banks located in China and Hong Kong. During my career, I found instances in which money was transferred to dozens of foreign countries.
In June 2018, the FBI and Department of Justice announced a major coordinated law enforcement effort to disrupt BEC schemes that were designed to intercept and hijack wire transfers from businesses and individuals. Operation WireWire, which also included agents from the Department of Homeland Security, Department of Treasury, and the U.S. Postal Inspection Service, resulted in seventy-four arrests, including forty-two people in the U.S., twenty-nine in Nigeria, and three in Canada, Mauritius, and Poland.
The six-month operation resulted in the seizure of nearly $2.4 million and the disruption and recovery of almost $14 million in fraudulent wire transfers. Occasionally, even though it is extremely difficult, we are actually able to locate, arrest, and punish the bad guys.
I investigated hundreds of BEC cases while working for the FBI, and I saw everyone from homeowners, small businesses, healthcare companies, real estate firms, and even large corporations targeted in these scams. The worst part is that every one of these crimes could have been avoided. One of the cases I worked involved a small nonprofit organization that had a wonderful mission of funding projects to help feed children in impoverished countries.
Elena worked as the finance manager for the nonprofit, and one day her boss, Jeremy, was out of the office soliciting donations. Of course, fundraising is the lifeblood of any nonprofit, and it was Elena’s job to keep track of the money that was coming in and going out. On this day, Elena received an email from Jeremy instructing her to wire $35,000 to a bank account in West Africa as part of a humanitarian effort.
This request wasn’t particularly unusual, so Elena followed Jeremy’s instructions. She called the bank and directed someone there to wire the money to the account in West Africa.
During their conversation, the bank representative warned Elena of something called a business email compromise and questioned whether a cybercriminal might be impersonating her boss. Elena assured the banker that it was a legitimate transaction and there was nothing to worry about.
The following week at a management meeting, Elena provided an update of the money that had been raised and where it had been sent for humanitarian projects. When Elena mentioned the $35,000 wire transfer to West Africa, Jeremy interrupted her with a puzzled look.
“Where did you send $35,000?” Jeremy asked. “And why did you send it there?”
Elena was surprised by Jeremy’s concerned tone and wondered if he had simply forgotten. She explained that she’d received his email, which included instructions for wiring the money to a bank account in West Africa. When Jeremy claimed he’d never sent Elena such an email, she pulled out her laptop and showed him the email.
Jeremy opened his outbox, which didn’t contain the email in question. Upon further examination of the header pulled off the email in question, it became clear what had happened. Jeremy’s email address was [email protected] (used only for example); the email Elena received was from [email protected]
It might take you a second to notice the difference, but that’s exactly what cyber criminals want to happen. It’s such a subtle disparity that most people would probably never recognize it. In most instances, we don’t pay close attention to the addresses on the emails we receive—especially if they’re from someone we know. Jeremy was obviously upset and confused, so he took his anger out on Elena.
Jeremy called the bank and demanded it take action, but the only thing the bank could do was attempt to recall the wire transfer. Sadly, your chances of recalling an international wire transfer after twenty-four hours are slim to none. Then the banker explained to Jeremy that he’d warned Elena about BEC scams when she called to request the wire transfer. Things weren’t getting better for her.
While investigating this case, I discovered the nonprofit organization was not utilizing two-factor authentication, and the bad guy had gained access to Jeremy’s email account—probably through password reuse or a keystroke logger. The thief read Jeremy’s emails and figured out how the organization conducted business, and he quickly realized that he only needed to send Elena an email with wire transfer instructions to steal the nonprofit’s money.
The cybercriminal then registered a lookalike domain (the company name after the @ symbol in an email address) to mimic the nonprofit’s actual domain. When Elena received the email from Jeremy, she reasonably assumed it was from him and had the bank wire the money.
During the course of our investigation, we discovered the crook was using a free web hosting service. We served the web hosting company with a federal grand jury subpoena, but the only breadcrumb of a clue was the IP address, which is almost always registered in West Africa.
The bad guys are smart enough not to provide their actual names and addresses when they register phony websites. In the old days, the easiest way to catch a crook was to follow the money. Today, the bad guys send stolen money to overseas banks accounts, and it’s nearly impossible to find them and recover the funds. It’s an enormous red flag for most companies to receive a request to send money overseas, so the cybercriminals recruit mules in the U.S. to do their dirty work.
Mules are witting or unwitting accomplices who facilitate transfers to overseas banks or, in some cases, receive stolen money into their domestic accounts and then wire the money to the thief from there. Mules who knowingly participate in the scam receive a small fraction of the stolen money for their trouble.
The largest victim of a BEC scheme that I ever worked with was a small company that lost $7.5 million. The company’s chief executive officer was traveling overseas, and a bad guy spoofed an email to the finance manager that was allegedly from the CEO.
In the email, the impostor claimed he’d been forced to set up a new email account because he was out of the country and couldn’t trust the network security in his hotel. The impostor told the finance manager that he was working on a highly sensitive business transaction, and he directed the manager to await instructions from an attorney who would tell him how to proceed.
A few hours later, the finance manager received an email from the attorney and then followed instructions to wire transfer $7.5 million to a bank in Hong Kong. To make matters worse, the CEO and finance manager didn’t talk for the next two weeks.
By the time the CEO returned to the U.S. and discovered that his company had been victimized, it was too late to take action. I’ve seen numerous cases in which money was sent to banks in Hong Kong and China, where banking and privacy laws make it nearly impossible to obtain information, even for law enforcement. Their laws allow cybercriminals to act with impunity.
Why was it so easy for cybercriminals to pull off a $7.5 million heist?
Unfortunately, we tend to trust what’s included in our emails, and we rarely verify their contents by calling the sender on the phone. Cybercrooks have been able to swindle $12 billion through BEC schemes. This not only harms victims but also severely damages the global economy. There’s a pretty simple solution: we must stop assuming every email can be trusted. I’ve had vendors approach me about products that are allegedly like silver bullets that supposedly reduce risk by keeping emails secure.
However, I don’t think you should take a bad business process, wrap it in technology, and hope for the best. Instead, let’s create a policy that prohibits money from being transferred based on what someone’s read in an email or text message. Let’s require anyone wiring money to bank accounts in the U.S. or overseas to receive verification—either over the phone or in person. While it might seem like common sense for many people, that simple business practice would have prevented several of the problems I’ve discussed.
I hate to say it, but that change might not be enough to eliminate BEC scams. The bad guys are constantly identifying weak business practices and inventing devious ways to exploit them. I’ll give you a good example: In my years at the FBI, I’d receive a flurry of calls from panicked CEOs or in-house accountants prior to April 15, which is the annual federal tax deadline for U.S. citizens.
It happened every year because the crooks had undoubtedly devised a new way to exploit office managers, human resource officers, accountants, and anyone else working in payroll and taxes. In one case I investigated, a cybercriminal targeted a human resources department with a spoofed email that was supposedly sent from a company executive.
The impostor requested every employee’s personally identifiable information and W-2 form for tax and audit purposes. In one week, I received phone calls from people at seven different companies that were victimized by this specific BEC scam.
In each instance, the victims sent their employees’ sensitive information to the cybercriminals, and they couldn’t understand why they were targeted since they didn’t maintain employee information on their company websites. They were amazed when I showed them how the bad guys were able to target their workers through LinkedIn and other social media.
Is this common practice in most businesses? What would the new HR officer in your company do if he or she received an email from the boss asking for this information? It only takes a phone call or face-to-face meeting to prevent something bad from happening.
One of the most frustrating aspects of investigating cybercrime for the FBI was that, as soon as we educated the public on one type of BEC scam, the bad guys came up with another variation. It was almost impossible to keep up! In another case I investigated, Company X purchased an expensive widget from Company Y for $3.5 million.
Once the transaction was approved, someone from Company Y emailed an invoice for $3.5 million to the accounts payable department at Company X. This type of transaction occurs in corporate America thousands of times every day. Company X’s accounts payable department was aware the invoice was coming, so the clerk started the process of arranging the payment.
About an hour later, however, the clerk received another email from Company Y, which informed her that the initial invoice was incorrect and the company had been mistakenly overcharged $3,000. A second invoice containing the correct amount was being sent right away. So, what did the accounts payable clerk do? You guessed it.
She started the process of paying the lesser total; five levels of management had to sign off on such a large invoice. Each person in the chain of command approved the payment, and, after the company’s top manager signed off, she initiated a wire transfer from Company X to Company Y for $3.497 million.
About ten days later, an accountant from Company Y sent an email to the accountants payable clerk at Company X with a friendly reminder about the outstanding $3.5 million balance. Obviously, the email caused quite a stir at Company X. The employees there checked the original email to see where the money was sent, and they discovered it was wired to Company Y’s bank account in the Middle East.
There was only one problem: Company Y didn’t have a bank account in the Middle East! By the time someone from Company X called me to help, it was too late. The bad guys had already withdrawn the money from the bank account they controlled. And, due to the country’s bank privacy laws, the bank wouldn’t share information without a mutual legal assistance treaty that required me to get approval from the U.S. Department of Justice—something that would have taken months. My FBI colleague in this country told me he saw this type of illegal activity every day.
Company X had a $10 million cyber-liability insurance policy; unfortunately, it was told this type of fraud wasn’t covered. The fraud policy only covered a loss if there were two parties involved in the authentication of a wire transfer. However, the accounts payable clerk at Company X never contacted anyone at Company Y before the money was sent.
If she had reached out to someone there to verify the account number and new invoice total, she probably would have been told it was indeed legitimate—because she would have called the phone number on the bogus second email that the bad guys had sent. It would have been a lookalike domain that appeared to be from Company Y.
Even though she probably still would have sent the money, the act of trying to verify the wire transfer details would have been enough to activate their insurance policy. Too late.
Company X ended up spending $50,000 on private investigators who tried to track the criminals down. Guess what the investigators discovered? The cyberthieves had taken over a high-ranking employee’s email account at Company X because the company didn’t use two-factor authentication.
The bad guys read his emails and discovered that Company Y was getting ready to send an invoice for $3.5 million. They set up a forwarding rule in the company’s email system and, when Company Y sent the invoice to Company X, they intercepted the email and sent the fraudulent invoice.
As a result of this very expensive lesson, the accounts payable clerk was fired (because someone always gets fired in cases like these). But was the right person terminated? Did Company X have a policy in place that required voice confirmation whenever a bank account number is changed? The clerk was only doing her job.
If the company had used two-factor authentication, the bad guys would have never cracked into the high-ranking employee’s email to know the transaction was about to take place. Furthermore, one of my sources at the company told me the information security manager proposed requiring two-factor authentication about a year before the incident.
Upper management rejected his recommendation because it didn’t want to spend the money and time on something that was such “a pain in the rear” to use.
So, I’ll ask the question again: Was the right person fired?
HOW TO AVOID BECOMING A VICTIM
Implement two-factor authentication for any wire transfer.
Never send a wire transfer based on the contents of an email; call someone directly or meet face-to-face with the person initiating or invoicing the wire transfer to verify the payment details.
Utilize two-factor authentication for company email. Most BEC scams are successful because cybercriminals gain access to employees’ email accounts.
Before wiring the money, verify the bank account and routing numbers with account numbers you have on hand. If it’s the first transaction with a new vendor, call someone at the company to verify the bank information.
If you’re calling someone at a new vendor to verify bank information, call a phone number you have on hand or search for the number in a directory. Don’t call the number included in the email.
Compare the email address on invoices with email addresses you’ve previously received from the company. Verify that the invoice wasn’t sent from a spoofed email account.
When replying to a suspicious or mission-critical email, use your email program’s Forward button instead of Reply. Then, type in the known email address of the person who allegedly sent you the message. By forwarding instead of replying to the message, you protect yourself from replying back to an illegitimate email from a spoofed account.
Register any company domains that might be slightly different than your actual company domain. For instance, if your company’s domain is jerrysbagels.com, then register jerrysbagels.co, jerrybagels.com, and jerrysbagles.com. This will help prevent cybercriminals from registering spoofed domains.
Establish one-time passwords or security questions for employees who might be traveling and might not have access to their phones. If an employee requests a wire transfer from the road, require that he or she provide the password or answers. Make sure the passwords and questions are strong.
If you receive emails containing the phrases “code to admin expenses” or “urgent wire transfer,” be extra diligent about verifying their legitimacy. Victims of previous BEC scams reported those phrases were included in spoofed emails.