West African organized-crime rings have been targeting U.S. business with “business e-mail compromise” scams that are costing firms millions of dollars every year.
Losses to businesses that are targeted by these scams hit an all-time high in the first quarter of 2018, with $685 million in losses reported by 4,081 victims. That’s more than the amount lost for all of 2017 in such scams: $675 million.
The gangs send fake messages to businesses’ finance departments purporting to be a vendor for the company with an invoice requiring payment.
These criminals do research before targeting companies, meaning they go to company websites and look for the right people to send e-mails to. They may even pull annual reports and find what companies they do business with, and then spoof those accounts (meaning they impersonate other firms in the e-mails).
Some criminals will fake a CEO’s e-mail account and e-mail that company’s finance office ordering payment to a certain account. In one case cited by Dow Jones Newswires, a real estate attorney received an e-mail from the purported sellers of a local property and asking the lawyer to wire the proceeds of the sale to the criminals’ bank account. The lawyer wired $246,218.83 to the scammers.
The main scams
Money request via compromised account of company exec
- A criminal compromises or spoofs the e-mail account of an executive, such as the CEO.
- The criminal sends a request for a wire transfer from the compromised account to an employee who is responsible for processing these requests and is subordinate to the executive, such as the controller.
- The controller submits a wire payment request, as per instructions from his or her “boss.”
Invoice from supplier via spoofed e-mail address
A fraudster compromises the e-mail of a business user employed by their target company; for example, someone in accounts payable. This is how it’s done:
- The criminal monitors e-mail of the business user, looking for vendor invoices.
- The criminal finds a legitimate invoice and modifies the beneficiary information, such as changing the routing number and account number to which payment is to be sent.
- The scammer then spoofs the vendor’s e-mail to submit the modified invoice.
- Accounts payable, recognizing the vendor name and services provided, processes the invoice and submits a wire request for payment.
How to avoid getting burned
- Confirm an e-mailed monetary request purportedly from a company executive by creating a new e-mail and entering their known e-mail address; don’t reply to the suspicious e-mail as it will likely go to the criminal.
- The e-mails typically have a similar tone, urging secrecy and expedience. Set up your e-mail gateway to flag key words such as “payment,” “urgent,” “sensitive” or “secret.”
- Look for odd uses of the English language. Many of the scammers are foreigners abroad.
- Although the late-stage e-mails used in these scams may not contain malware, malicious code is often used as part of an overall scheme to initially compromise an employee’s e-mail account. So, make sure you have an effective malware detection solution in place.
- Register all domains that are slightly different from the actual company domain.
- Scrutinize all e-mail requests for transfer of funds to determine if the requests are out of the ordinary.
- Ask your accounts payable staff to get to know the habits of your customers, including the details of, reasons behind, and amount of payments.