The latest wave of business fraud takes the form of email impersonation schemes, in which perpetrators attempt to fraudulently induce employees of a business entity to execute a wire transfer. In a business email compromise (BEC) scheme, fraudsters masquerade as an authentic vendor or business partner. For example, a person with authority to initiate or execute a transaction, e.g., a C-level executive, in the victim organization receives a business email purportedly from a vendor requesting a wire transfer to a designated bank account. The innocent-looking email fools the employee because it appears to come from a legitimate business relationship. The emails are spoofed by adding, removing or changing characters in the email address, making it difficult to distinguish the perpetrator’s email address from the legitimate address. Unbeknownst to the victims, the wires are typically made to overseas bank accounts, often in China, South Africa, Turkey or Japan.
In a recent public service announcement, the Internet Crime Complaint Center (IC3) reported receiving similar complaints from every state and 45 countries. The combined number of victims totaled 2,126, with combined losses of nearly $215 million. Approximately 56 percent of all victims are in the U.S., and they vary in size. Based on information from BankInfoSecurity.com, companies like Ryanair, Xoom Corp. and Ubiquiti Networks, Inc.—which reported $5 million, $31 million and $47 million in losses due to BEC fraud, respectively—may be on the list. It’s unknown how victims are selected, but the fraudsters appear to study their victims prior to initiating BEC scams.
The scheme usually isn’t detected until the legitimate supplier requests payment or until the victim company’s executives talk to each other to reconcile payments. This type of fraud is sophisticated but nontechnical. It requires detailed planning to identify potential targets, appropriate resources to send electronic communication with an obscured or disguised sender’s information, knowledge of the victim’s reporting structure and understanding of social engineering. At the same time, it doesn’t involve breaking through firewalls, installing malware or keylogging software on a victim’s computer.
According to IC3, these schemes appear to have several common characteristics, which could be used for risk assessment purposes by unaffected organizations. Here are some of the commonalities:
- Victim businesses often trade internationally—usually through China—and purchase or supply a variety of products such as textiles, furniture, food and pharmaceuticals.
- Victim businesses tend to conduct high-dollar wire transfers.
- Victims received fraudulent email requests through AOL, Gmail or Hotmail addresses.
- Fraudulent emails coincide with business travel dates for executives whose emails were spoofed.
It’s important to note this type of fraud could occur even when all standard internal controls and protocols are followed by victim organizations and their employees. Therefore, this type of fraud is particularly difficult to prevent. Spam filters and antivirus software are not designed to protect against cleverly engineered impersonation. The human element is vitally important, so employee training and awareness is the best line of defense.