Description Of the Scheme – Fraudsters Do Their HomeworkThere are at least three versions of this scheme. They all start with in-depth reconnaissance as a criminal learns key details about their intended victim, how they’re structured, and who to target in order to make the attack as convincing as possible. They will try to compromise an employee’s email account to see what they can learn and will check publicly available information. They are looking for:
- General information about the company, where it does business, and with whom
- Names and titles of company officers
- Management organizational structure: who reports to who
- Information on new rounds of funding
- Information on new products and services, or patents
- Product or geographic expansion plans
- Travel plans
- …@companyABDC.com instead of …@companyABCD.com
- …@company_name.com instead of …@company-name.com (underscore instead of a hyphen).
- They replace an “m” with an “r” and an “n”.
Example 1: Email from a company executive
- A criminal compromises or spoofs the email account of an executive, such as the CFO.
- The criminal sends a request for a wire transfer from the compromised account to an employee who is responsible for processing these requests and is subordinate to the executive, such as the Controller.
- The Controller submits a wire payment request, as per instructions from her “boss.”
Example 2: Invoice From supplier or business partner via spoofed email address
- A fraudster compromises the email of a business user employed by their target company, for example, someone in Accounts Payable.
- The criminal monitors email of the business user looking for vendor invoices.
- The criminal finds a legitimate invoice and modifies the beneficiary information, such as changing the routing number and account number to which payment is to be sent.
- The criminal spoofs the vendor’s email to submit the modified invoice. It doesn’t require compromising the vendor’s email system, but it instead sends the invoice from an email address that is so close to the domain of the vendor that most people would miss the change (see earlier examples).
- The email explains that they (the vendor) has updated its payment processes, which explains the new account details.
- Accounts payable, recognizing the vendor name and services provided, processes the invoice and submits a wire request for payment.
Example 3: Email From an attorney regarding a business acquisition
- The finance department receives an email from a criminal pretending to be the CEO regarding a secret company acquisition. The email emphasizes the sensitive nature of the deal, making the employee feel special by being included by the CEO in this confidential operation.
- The email explains that an attorney working on the acquisition will follow up with the wire instructions.
- The criminal, posing as the attorney, follows up by email or phone with the wire payment details as the original email from the CEO stated he would.
- The finance department submits the wire request for payment.
The FBI Alert warned, "The requests for wire transfers are well‐worded, specific to the business being victimized, and do not raise suspicions to the legitimacy of the request.” Gone are the days of the obvious warning signs of criminal activity, such as bad grammar and spelling, or unrealistic scenarios.
How To Detect Suspicious Wire Requests Resulting From the BEC ScamHere are some techniques for detecting fraudulent payments submitted as a result of the BEC scam:
- Confirm the request with the executive by creating a new email and entering their known email address; don’t reply to the suspicious email as it will likely go to the criminal. If this feels a bit awkward, ask yourself, “would you rather ask your CEO or CFO to confirm a wire request or have to tell them you’ve just processed a fraudulent wire transfer?”
- The emails typically have a similar tone, urging secrecy and expedience. So set up your email gateway to flag key words such as “payment”, “urgent”, “sensitive”, or “secret”.
- Although the late-stage emails used in BEC may not contain malware, malicious code is often used as part of an overall BEC scheme to initially compromise an employee’s email account, so make sure you have an effective malware detection solution in place.
- Register all domains that are slightly different from the actual company domain.
- Carefully scrutinize all email requests for transfer of funds to determine if the requests are out of the ordinary. Know the habits of your customers, including the details of, reasons behind, and amount of payments.