Skip to main content

Looking for Valuant? You are in the right place!

Valuant is now Abrigo, giving you a single source to Manage Risk and Drive Growth

Make yourself at home – we hope you enjoy your new web experience.

Looking for DiCOM? You are in the right place!

DiCOM Software is now part of Abrigo, giving you a single source to Manage Risk and Drive Growth. Make yourself at home – we hope you enjoy your new web experience.

AML/CFT

The Next Cybersecurity Threat: Your Email Inbox

Abrigo
October 24, 2018
Read Time: 0 min

Email Cybersecurity Threats: How to Protect Yourself and Your Company

$5,300,000,000,000 … That’s how much cybercriminals have siphoned from businesses and consumers worldwide through business email compromise (BEC) and email account compromise (EAC) scams since 2013, according to the Internet Crime Complaint Center (IC3). The FBI noted that these scams have increased 136% worldwide from December 2016 to May 2018.

BEC and EAC scams are very similar in how they attack their victims, causing companies to pay more attention to their cybersecurity. The biggest difference is that BEC scams target companies, while EAC scams are directed at the victim’s personal accounts. Regardless, both are equally threatening to financial cybersecurity.

How Do These Scams Work?

There are three basic stages to a BEC/EAC scam:

  • Stage 1 – Compromising victim information and email accounts
  • Stage 2 – Transmitting fraudulent transaction instructions
  • Stage 3 – Executing unauthorized transactions

Stage 1 – BEC/EAC scams can be completed through a simple email exchange with a fraudulent look-alike email or with a more advanced email phishing scheme. Through social engineering or malware, fraudsters attempt to compromise a legitimate business e-mail account. If they cannot compromise an email, the scammer spoofs a valid email address by inserting a character such as a “0” (zero) in place of an “O” (capital letter O), making the fake email look realistic.

Social engineering is the use of deception to manipulate individuals into giving out personal or confidential information, either in-person or through digital channels. The fraudsters monitor and study their selected victims prior to initiating the scam. This can be everything from diving deep into the victim’s social media accounts or physically infiltrating a business to gain information. The growth of the internet and social media has made social engineering significantly easier and less time-consuming. Now, instead of visiting a physical location, the scammers can get most of the needed information through a simple web search. According to the IC3, “The subjects are able to accurately identify the individuals and protocols necessary to perform wire transfers within a specific business environment. Victims may also first receive ‘phishing’ e-mails requesting additional details regarding the business or individual being targeted (name, travel dates, etc.).”

In other instances, victims of the BEC scam report being targeted by ransomware cyber intrusions immediately preceding a BEC incident, usually through a more complex phishing scam. A victim receives an e-mail from a seemingly legitimate source, such as a coworker, friend or vendor, that contains a link. When the victim clicks the link, they unknowingly download malware, which gives the criminals access to confidential or secure internal information. These malware programs allow the attacker to infiltrate the company’s email system or victim’s email account and learn their normal procedures for money transfer by reading through sent items folders.

Stage 2 – Once the criminals have the information they need, they send the payment information. Since wires are a quick international transfer vehicle, most BEC/EAC scams request wire transfers. According to the 2017 AFP Payments Fraud and Control Survey, checks are the second-most requested payment vehicle. ACH credits and corporate/commercial credit/debit cards are tied as the third-most frequent payment vehicle.

Stage 3 - Often, the victim is asked to keep the transfer confidential and there is an element of urgency associated with the payment or transaction. Criminals are taking these scams one step further now, often calling the victim to follow up on the wire request, giving the transaction more perceived legitimacy.

More advanced crime rings behind these scams regularly use “money mules” to move the transferred funds, making it harder for financial institutions to detect. Sometimes, the scam victims themselves are recruited as innocent money mules. Fraudsters also recruit mules from “work from home” postings or romance schemes. The mules receive the fraudulent funds in their personal accounts and are then directed by the fraudster to quickly transfer the funds to another financial institution account, usually outside the U.S. Most payments end up in Asian financial institutions with China and Hong Kong leading the way. The IC3 reported, however, that 113 other countries have also been recipients of these transfers.

So what’s the difference?

BEC scams target a business that regularly performs wire transfer payments or works with foreign suppliers. Victims range from small businesses to large corporations and deal in a wide variety of goods and services, indicating that every business is at risk.

It is important to note that not every BEC scam contains a payment element. The criminals might also be asking for confidential information in the form of Personally Identifiable Information (PII) or Wage and Tax Statement (W-2) forms.

 

Fraud prevention software that was created to stay ahead of fraudsters? Now that’s BIG.

Learn More

An example of a BEC scam email looks like this:

This example highlights two common components of a BEC phishing email: an element of urgency and a request to keep the transfer confidential.

As damaging as BEC scams are for businesses, EAC scams are hurting individuals at an alarming rate. These scams follow a similar workflow to BEC scams, targeting individuals usually associated with financial institutions, law firms, and real estate companies. They also look for victims who are in the midst of a large purchase, such as a home, where they have to wire funds for closing.

Criminals executing EAC scams generally use two different techniques: account compromise and email spoofing. With account compromise, they hack into a victim’s account and monitor emails for invoices or payment information. Email spoofing requires the criminals to create a fake email address that mimics the actual address, often replacing “O” with “0” or “_” instead of “-“.

After successfully scanning the victim’s inbox for payment information, the attacker updates the payment information with their account information and resends the email, making it seem legitimate. The criminal might infect an employee’s email account at a title company with malware and send incorrect wiring instructions to an excited home buyer. Or the attacker might spoof the title company’s email and send incorrect wiring instructions to the would-be buyer.

Other examples of EAC scams target consumers with legal, brokerage or lending services pending.

What can a financial institution do to help its customers?

There are many ways institutions can prevent or detect BEC and EAC scams to better protect themselves and their customers. Institutions need to implement greater communication and collaboration between their internal AML, fraud prevention, and cybersecurity units. Many times, these groups are separately investigating the same criminals and are unaware of each other’s work.

Additionally, financial institutions can hold requests for international wire transfers for an additional period of time to verify the legitimacy of the request. A simple phone call to validate the transfer can save both the institution and the customer time and money.

Other methods of combatting this fraud include two-factor authentication with accounts attempting transfers, a solid fraud detection solution, and educating businesses and consumers on the risks of these scams. Employees should be well-versed on the red flags so they can stop fraudulent transfers.

Education programs help businesses understand that they can reduce their risk of BEC/EAC scams if they:

  • Avoid free web-based email accounts
  • Are cautious with what is posted on company and personal social media sites and company websites, especially job duties/descriptions, hierarchal information, and out of office details
  • Are suspicious of requests for secrecy or pressure to act quickly
  • Create intrusion detection system rules that flag emails with similar extensions
  • Register all company domains that are slightly different, including replacing letters with numbers (0 instead of O)
  • Verify changes in vendor payment location
  • Confirm requests for transfers of funds
  • Scrutinize all email requests
  • Install anti-virus or malware software

Financial institutions can also use basic KYC principals to protect their customers from these scams. Be aware of a customer’s typical wire transfer activity and verify any deviations.

Resources

FinCEN and the FBI have put out several advisories on BEC and EAC scams. The FBI’s May 4, 2017, Alert Number I-050417-PSA and FinCEN’s FIN-2016-A003 documents are good resources for financial institutions to review. In cases that result in a SAR filing, financial institutions should reference Advisory FIN-2016-A003 and include key terms such as BEC Fraud when a business is the victim and EAC Fraud when an individual is the victim.

Through education and awareness, both businesses and financial institutions can better protect themselves, their employees and their customers from these debilitating scams.

About the Author

Abrigo

Abrigo enables U.S. financial institutions to support their communities through technology that fights financial crime, grows loans and deposits, and optimizes risk. Abrigo’s platform centralizes the institution’s data, creates a digital user experience, ensures compliance, and delivers efficiency for scale and profitable growth. Make Big Things Happen.

Full Bio

About Abrigo

Abrigo enables U.S. financial institutions to support their communities through technology that fights financial crime, grows loans and deposits, and optimizes risk. Abrigo's platform centralizes the institution's data, creates a digital user experience, ensures compliance, and delivers efficiency for scale and profitable growth.

Make Big Things Happen.