The Financial Services Information Sharing and Analysis Center (FS-ISAC) has issued an alert warning companies of a continued increase in wire transfer fraud due to business email compromise (BEC) scams. The product of a joint effort with the Federal Bureau of Investigation and the U.S. Secret Service, the alert discusses BEC attacks and provides businesses with recommendations on how to mitigate this threat. Business email compromise is a type of payment fraud that involves an attacker compromising the legitimate email account of a high-ranking executive, such as an organization's CFO or or CEO. The scammers then use this unauthorized access to make fraudulent wire transfers to financial institutions located all over the world, although the vast majority of these are made to Asia.
Attackers may also conduct another form of BEC by compromising the email account of a business's vendor or supplier. Known as vendor fraud, this scheme is used by attackers to make a last minute change of the vendor's bank and account numbers whenever they are scheduled to receive payments from their clients. Once these accounts have been compromised, the scammers then usually begin to conduct reconnaissance in order to ascertain an opportune time to send out fake wire transfer requests.
"In some instances, actors have auto-forwarded e-mails received by the victim to an e-mail account under their control," the alert explains. "This reconnaissance stage lasts until the actor feels comfortable enough to send wire transfer instructions using either the victim’s e-mail or a spoofed e-mail account that is controlled by the actor. The difference in the spoofed e-mail account is very subtle and can easily be mistaken for the legitimate business e-mail address."
The FS-ISAC alert also warns that attackers in some instances will wait until the target executive is on vacation, which makes it more likely that they would conduct official business via email rather than approach an employee in person before sending them wire transfer instructions. To mitigate the threat of BEC scams, it is recommended that businesses always confirm changes in vendor payment authorization via phone, maintain a non-electronic record of vendor contact information, and limit the number of employees who are able to authorize wire transfers. For more information on BEC, an attack type which caused U.S. businesses $215 million in losses last year, please review the United States Computer Emergency Readiness Team's follow-up alert here.
