Wolves in Digital Clothing: Unmasking the Threat of Business Email Compromise

Blog September 25, 2024 by Laurel Sykes

In previous blog posts, we’ve highlighted the dangers of using email to conduct business transactions and provided guidance for verifying payment instructions sent via email using “out-of-band” channels, such as phone numbers or invoices previously on file. The FBI also continues to provide PSAs and announcements on the risk of email compromise, previously reporting that over $26 billion was lost from June 2016 to July 2019 internationally and in the United States.

Such scams are also known as “business email compromise (BEC)” or the “CEO wire scam”, but it happens just as frequently to personal email accounts. The trend is continuing! From October 2013 to December 2022, the FBI reportedly received 278,000 reports regarding BEC totaling over $50 billion based on suspicious activity reports filed by banks.

Real Estate¶

According to the most recent Public Service Announcement by the FBI, in calendar year 2018, victims reporting to the FBI’s IC3 service on BEC related to real estate transactions. Gradually, reporting to the IC3 decreased in the following years until another minor spike in 2021 and then again increasing in 2022.

The BEC scam targets all participants in real estate transactions, to include buyers, seller, real estate attorneys, title companies, and agents. Once a BEC perpetrators gain access to a participant's email account involved in a real estate transaction, they are able to monitor the real estate proceeding and often time the fraudulent request for a change in payment type (frequently from check to wire transfer) or a change from one bank account to a different bank account under their control. The funds may also be transferred to a secondary fraudulent domestic or international account.

Payroll Changes¶

The FBI’s prior PSA, noted that there continues to be a significant number of BEC complaints concerning payroll, where the human resources or payroll department receives spoofed emails appearing to be from employees requesting a change to their direct deposit account. Alternatively, the fraudster gains access to an employee’s direct deposit account and alters the routing to another account.

The FBI cautions that the scam is not always associated with a transfer-of-funds request. One variation involves compromising legitimate business email accounts and requesting employees’ Personally Identifiable Information (PII) or Wage and Tax Statement (W-2) forms. That data can later be used in another common scam where the fraudster files taxes on the victim’s behalf to obtain the tax refund!

Changing Bank Account Information for Transfers or to Pay Invoices¶

The FBI also issues regular reports on email compromise scams based upon reports filed through their online site at www.ic3.gov. The bulk of their reports focus on business transactions, such as cases where a CFO or controller of a business have fallen prey to wiring money out to a fraudster believing their CEO had sent them an email asking them to do so. Caution is also urged when you receive an email request from someone purporting to be one of your vendors that their payment information has changed. Always contact the individual requesting the change using a phone number you previously had on file from a prior invoice.

Below are some tips from ARB and the FBI for preventing losses through these scams. Pass the information along to your friends and colleagues – spread the word!

• Go out-of-band to reach the person sending the email to verify the request.
• Use two-factor authentication with your online banking accounts or accounts you maintain at work (such as having a code sent to your cell phone) to verify requests for changes in account information.
• Check out the URL in emails by hovering over the link (don’t click!) to ensure it is coming from the business is claims to be from.
• Be alert to hyperlinks that may contain misspellings of the actual domain name.
• Never supply login credentials or personal information in response to any emails. Be aware that many emails requesting your personal information may appear to be legitimate.
• Monitor your bank accounts frequently for irregularities, such as missing payroll or other automatic deposits, or unauthorized wires or ACH transactions.
• Make sure you are using the latest operating system for your phone or computer.
• Verify the email address used to send emails, especially when using a mobile or handheld device by ensuring the senders address email address appears to match who it is coming from. In some cases, your email provider may even provide security features letting you know the email may not have been sent by the person it claims to be!
• Ensure the settings on your computer or phone are enabled to allow full email extensions to be viewed.

Report Immediately!¶

If you discover a fraudulent transfer, time is of the essence. First, contact the relationship manager at your bank and request a recall of the funds along with any necessary indemnification documents. Attempting to recover funds can be difficult if more than 72 hours have passed since the transfer occurred. Regardless of the amount lost, file a complaint with www.ic3.gov, as soon as possible. The FBI IC3 will be able to assist both your financial institutions and law enforcement in possible recovery efforts. Other tips from the FBI on BEC can be found here.

We invite you to reach out to any of our banking specialists to learn more about fraud controls available to protect your accounts from the increasing threat of fraud. We are also available to do presentations with local residents or businesses on a variety of topics, including cybersecurity, elder financial abuse presentation, or secure banking practices. Stay alert, and let us know how we can help!