Initial email from the fraudsters:
From: Judy Exec <judy.exec@cmputercorp.com>
To: Henry Ledger <henry.ledger@computercorp.com>
Subject: Urgent payment
Henry,
What is the cutoff time for wires? I need to have this payment sent ASAP.
<Attached: PaymentInstruction.pdf>
-Judy
Sent from My iPhone
Response from the controller:
From: Henry Ledger <henry.ledger@computercorp.com>
To: Judy Exec <judy.exec@cmputercorp.com>
Subject: Re: Urgent Payment
Hi Judy,
Wires must be processed prior to 2:00 PM PT. How should I code the transfer?
-Henry
Final response from fraudsters:
From: Judy Exec <judy.exec@cmputercorp.com>
To: Henry Ledger <henry.ledger@computercorp.com>
Subject: Re: Urgent payment
Please code to my admin for now. Thanks.
-Judy
Sent from My IPhone
|
With this information in place, Henry hurries to initiate the wire transfer to the account in the payment instructions. Dual authorization is required. When the secondary approver calls Henry, he confirms that the request came directly from the CEO and is urgent. The secondary approver also approves the wire.
The money is sent to the fraudulent account.
The aftermath
Computercorp CEO Judy Exec returns from vacation. Henry sends her a note to confirm the allocation of the funds from the wire. Judy calls Henry immediately, claiming that she didn’t send instructions for a wire.
Henry contacts their bank to request a funds recall. The bank initiates the recall, but the funds moved from the fraudulent account and are no longer available. Next, Computercorp contacts their local FBI field office and reports the fraudulent event to the Internet Crime Complaint Center (IC3).
Because of this event, Computercorp strengthens their wire authorization controls by implementing callback procedures for all requested wire transactions.
Scenario two: The payment instruction switch
Another scenario involves fraudulently changing a known supplier’s payment instructions to divert funds to an account owned by criminals or their accomplices.
The pre-event set-up
An organized crime group targets fictitious company, “ABC Corp,” a U.S.-based global manufacturing company that makes frequent payments to foreign suppliers for goods and services. The crime group:
- Identifies an ABC Corp overseas supplier by the name of “XYZ Supply.”
- Compromises the email accounts of several XYZ Supply account reps who are using weak passwords on a web-based email system that has no secondary authentication.
- Searches through emails for payment requests to customers of XYZ Supply. Notices an invoice to ABC Corp for goods, with an additional request for goods to be invoiced in the near future.
The scam
The criminals email the supplier manager at ABC Corp using the most recent XYZ Supply email chain and request a change in payment instruction.
The email doesn’t raise an alert with the supplier manager, because it’s legitimately from the XYZ Supply email account.
The supplier manager updates the payment system with the new account information assuming the email request is legitimately from XYZ’s account representative.
ABC Corp receives the goods and makes a wire payment to the fraudulent account provided by the criminals.
The aftermath
The day after payment, the supplier manager at ABC Corp emails the account representative at XYZ Supply to notify them of the payment. The account representative responds that the wire wasn’t received.
The controller checks the outgoing wires report to confirm the wire. That’s when ABC Corp discovers the wire was sent to a fraudulent account. The controller at ABC Corp calls their bank to request a funds recall, but it’s too late. The funds are no longer available in the receiving account and can’t be recalled.
ABC Corp and XYZ Supply split the cost of the loss, and later implement additional controls around payment instruction changes including callback confirmation procedures. XYZ Supply also commits to implementing stronger security controls on their web-based email system, including multi-factor authentication.
Prevent these fictional BEC scenarios from becoming your reality
These scenarios depict situations that your organization can avoid by using stronger internal controls. In both of these BEC frauds, a phone call directly to the requestor using a verified number could have avoided the situation
Stronger controls around email must also be part of any security strategy. Keep in mind that traditional email isn’t a trusted communication mechanism when dealing with critical activities such as money movement.
While no single control or set of controls will prevent your organization from being a target, we suggest these five tips to prevent your organization from falling victim to BEC:
- Confirm and verify email requests for fund transfers
Contact the requestor by phone using an independently obtained phone number or one that you already have on file. Pay special attention to transfers requested to new or recently updated accounts. Nearly all BEC scams can be stopped in their tracks if organizations adopt this basic control.
- Use dual control for money movement activities
Dual control allows for two levels of scrutiny and authorization to help stem the risk of illegitimate funds transfers.
- Use multi-factor authentication for web-based email accounts
Fraudsters may leverage actual accounts of executives with email credentials pilfered from spear phishing campaigns. Multi-factor authentication adds another layer of control to deter cyber crooks from accessing employee accounts.
- Communicate quickly when fraud or security events occur
Notify your key banking partners and information security staff immediately if you suspect BEC. If appropriate, contact law enforcement and file a complaint with the FBI Internet Crime Complaint Center.
- Create awareness within your organization
Evaluate staff compliance with internal controls by using real-world security awareness testing. Finally, review your current payment controls to keep your organization safe from BEC.
For more on how to protect your organization from BEC, check out our fraud prevention checklist.
Business email scams are on the rise as more employees are working from home. Contact U.S. Bank for help with your fraud prevention plan.