Email compromise fraud schemes
Skip to main content Skip to main menu Skip to footer

Email compromise fraud schemes

Email compromise fraud schemes

Decrease Text Size Increase Text Size

Page Article

Business Email Compromise (BEC) is a sophisticated scam targeting businesses working with foreign suppliers and/or businesses that regularly perform wire transfer payments. The scam is carried out by compromising legitimate business e-mail accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds.

What to do IF & WHEN a BEC Occurs

Have a Business Continuity (BC) Plan for IF and WHEN a BEC occurs.
  • IMMEDIATELY
    • Contact your Banking team via Telephone AND email. KNOW WHO TO CONTACT, Sales, Service, ALL.
    • Ensure ALL Employees have Banking CONTACT INFO.
    • Inform Banking Team of the transaction. Have sufficient details to relay what transpired.
    • Provide a screen shot of the outbound wire if possible.
    • Once informed, Bank Team should alert the Corporate Fraud Division of the transaction.
    • Beneficiary Bank
      • Request that a wire recall be submitted. The financial institution should submit a wire recall on Customer’s behalf to the with a message indicating that the wire was unauthorized or as a result of a BEC. Action taken, is in an attempt to facilitate any recovery.
      • Gather all relevant information associated with the business deal (i.e. wire instruction emails) to provide the Financial Institution’s Fraud Division and complete any unnecessary forms as requested (i.e. affidavits).
      • Complete an online FBI, Internet Complaint Form (IC3) or contact the FBI directly immediately. You may file a police report with your local police department.
      • IF and WHEN the financial institution successfully recovers funds (if available funds), funds will be returned to the originating account.

Develop a BEC Response Plan

The sooner you report a BEC attack, the better your chances of recovering losses. Be sure to have a plan in place to immediately notify your financial institution of the fraud. 

  • For international wire transfers over $50,000, call your regional FBI office (https://www.fbi.gov/contact-us/field-offices) and local police.  The FBI offers a Financial Fraud Kill Chain (FFKC) process to help recover large international wire transfers stolen from the United States.  The FFKC is intended to be utilized as another potential avenue for U.S. financial institutions to get victim funds returned. 
  • Any wire transfers that occur outside of these thresholds should still be reported to law enforcement (http://www.ic3.gov/) but the FFKC cannot be utilized to return the fraudulent funds.  
  • The plan should also include quickly engaging your IT and information security staff to determine if there has been a network or email compromise.
  • Prepare any reports and notifications required by regulation, law, or policy and deliver as appropriate.
  • Prepare lessons learned reports and socialize as appropriate according to your site’s incident response policies.
  • Share incident details and lessons learned with appropriate management, board-level, or committee-level members.
  • Implement additional controls to minimize the risk of future attacks.

How can you defend your company from BEC?

  • Businesses are encouraged to enhance employee fraud awareness, to educate employees on how BEC scams and other similar attacks work. While employees are a company’s biggest asset, they can also be its weakest link when it comes to security. Commit to training employees, review company policies, and develop good security habits.
  • Carefully scrutinize all emails. Be wary of unsolicited or irregular emails sent by high-level executives, as they can be used to trick employees into acting with urgency. Be extra cautious of emails requesting funds, to determine if the requests are out of the ordinary.
  • Verify any changes in vendor payment instructions, by using a secondary sign-off by company personnel.
  • Stay updated on customers’ habits, including the details, and reasons behind payments.
  • Conduct call backs (numbers on file not email) on all payment requests.
  • Prohibit access to personal emails from business computers. Personal email accounts are known for receiving spam emails that contain potential malware.
  • Encourage employees to only use business computers for business use and refrain from visiting unknown sites.
  • Conduct thorough verification of new business clients. Use caution with Customers, who only want to communicate via email and the WhatsApp application.
  • Segregate employee job duties to avoid collusion.
  • Secure your business network security and email accounts. Microsoft DUAL authentication should be enabled.
  • If you have reason to believe that you are a victim of a BEC, contact your Bank as soon as possible and report the incident to the FBI and/or local police department.
  • Obtain Cyber/Fraud Insurance Coverage.

Recommendations and Mitigations

Non-Technical Mitigations 

Social engineering safety
  • Be careful with what information you share online or on social media. By openly sharing things like pet names, schools you attended, links to family members, and your birthday, you can give a scammer all the information they need to guess your password or answer your security questions.
  • Be careful what you post to business networking sites like LinkedIn and your company website, especially information about who has which specific job duties. 
Training and awareness
  • Alerts for employees and customers regarding phishing scams targeting specific organizations or interest groups.
  • Reminders of policies in place such as account changes.
  • General information on phishing tactics posted to an organization web site or emails.
  • Establish an employee testing program with phishing and BEC attempts that appear to come from your senior leaders and trusted business partners.
Establish out-of-band communication  
  • Use an alternate form of communication than email, such as a telephone call, to verify transactions over a particular dollar amount. And set up this verification process early in the business relationship. Do not use email to set up the verification process.
Standardize validation for payments and account changes
  • Establish with your customers and business partners how changes in account information will be communicated and validated.  Also, confirm how you expect them to validate changes to your banking information.
Confirm significant or out-of-pattern changes
  • Beware of sudden changes in business practices. For example, if a vendor suddenly asks to be contacted at a personal email address when all previous official correspondence has been on a company email, verify via other channels that you are still communicating with your legitimate business partner.
  • Be especially wary if the requestor is pressing you to act quickly.
  • Verify payment and purchase requests in person if possible or by calling the person to make sure it is legitimate. You should verify any change in an account number or payment procedures with the person making the request.
  • Watch for suspicious requests, such as a change in a vendor’s payment location.
  • Follow controls for the validation of new or revised payment information.
  • Escalate any concerns if a payment seems suspicious - even after performing a callback.
  • Be very suspicious if a vendor offers vague reasons for changes to a new account, such as tax audits or current events, e.g., "Due to COVID-19, we need to update our payment information…"
Create a social media policy
  • Construct, implement and enforce a social media policy that prohibits sharing details about company roles and responsibilities, so cyber criminals cannot develop a picture of your corporate structure, including addresses to target your employees.
Email
  • Don’t click on anything in an unsolicited email or text message asking you to update or verify account information. Look up the company’s phone number on your own (don’t use the one a potential scammer is providing).  Look up the number from an external source when calling and call the company to ask if the request is legitimate.
  • Check the "rules" setting on your account periodically to ensure that no one has set up auto-forwarding for your e-mails.
  • Email forwarding vs email reply. Instead of hitting reply on important emails, use the forward option and either type in the correct email address or select it from your email address book to ensure you’re using the real email address.
  • Be cautious about using out-of-office replies that give too much detail about when your executives are out of the mix.
  • Carefully examine the email address, URL, and spelling used in any correspondence. Scammers use slight differences to trick your eye and gain your trust.
  • Be careful what you download. Never open an email attachment from someone you don't know, and be wary of email attachments forwarded to you.
  • Avoid clicking on links or attachments from unknown senders. Doing so could download malware onto your company’s computers, making you vulnerable to a hack.
Anti-phishing strategies for AI-written emails
  • Sandboxing for Word documents and other attachments to keep them away from corporate networks.
  • Web traffic inspection through a secure web gateway to protect both on-prem and remote users.
  • Secure email gateways.
  • Check URLs for malicious content or typosquatting.
  • Deploy email security protocols such as DMARC, DKIM, and SPF, which help prevent domain spoofing and content tampering.
  • Provide an easy way to report suspicious emails.

What to look for in an email:

  • Suspicious email address of the sender.  The email address of the sender(s) can mimic legitimate businesses. Threat actors often leverage email addresses that resemble reputable organizations but alter or omit a few letters and numbers.
  • Generic greetings and signatures.  Lack of contact information in an email signature block, or generic greetings such as "Sir/Ma’am" or "Dear Valued Customer" are strong indicators of a phishing email.
  • Misspelling and layout.  Odd sentence structure, misspellings, poor grammar, and inconsistent formatting are strong indicators of a potential phishing attempt.
  • Spoofed websites and hyperlinks.  When hovering a cursor over links in the body of an email, if links do not match, the link may be spoofed. Malicious variations from legitimate domains leverage different spellings or domains such as .net, vs .com. Other tactics include the usage of URL shortening services to conceal the true destination of links.
  • Suspicious attachments.  Unsolicited emails which request users to open or download attachments are common delivery mechanisms for malware.

Common Indicators (Red Flags):

  • E-mailed transaction instructions direct payment to a known beneficiary; however, the beneficiary’s account information is different from what was previously used.
  • E-mailed transaction instructions direct wire transfers to a foreign bank account that has been documented in customer complaints as the destination of fraudulent transactions.
  • E-mailed transaction instructions direct payment to a beneficiary with which the customer has no payment history or documented business relationship, and the payment is in an amount similar to or in excess of payments sent to beneficiaries whom the customer has historically paid.
  • E-mailed transaction instructions include markings, assertions, or language designating the transaction request as "Urgent," "Secret," or "Confidential."
  • E-mailed transaction instructions are delivered in a way that would give the financial institution limited time or opportunity to confirm the authenticity of the requested transaction.
  • E-mailed transaction instructions originate from a customer’s employee who is a newly authorized person on the account or is an authorized person who has not previously sent wire transfer instructions.
  • A customer’s employee or representative e-mails financial institution transaction instructions on behalf of the customer that is based exclusively on e-mail communications originating from executives, attorneys, or their designees. However, the customer’s employee or representative indicates he/she has been unable to verify the transactions with such executives, attorneys, or designees.
  • A customer e-mails transaction requests for additional payments immediately following a successful payment to an account not previously used by the customer to pay its suppliers/vendors. Such behavior may be consistent with a criminal attempting to issue additional unauthorized payments upon learning that a fraudulent payment was successful.
  • A wire transfer is received for credit into an account; however, the wire transfer names a beneficiary that is not the account holder of record. This may reflect instances where a victim unwittingly sends wire transfers to a new account number, provided by a criminal impersonating a known supplier/vendor while thinking the new account belongs to the known supplier/vendor, as described in the above BEC Scenario 3. This red flag may be seen by financial institutions receiving wire transfers sent by another financial institution as the result of e-mail-compromise fraud.

Technical Mitigations

  • Set up two-factor (or multi-factor) authentication on any account that allows it, and never disable it.  TFA/MFA aims to protect users if authentication credentials have been captured. The nature of changing tokens limits the attacker's ability to leverage captured credentials.  
  • Avoid free web-based e-mail accounts. Establish a company domain name and use it to create formal e-mail addresses for your employees.
  • Label external emails to help prevent the impersonation of employees.  
  • Ensure emails originating from outside the organization are automatically marked before received. 
  • Prohibit automatic forwarding of emails to external addresses.  Detect email inbox forwarding rules that send all or selected emails to an external email address.
  • Add an email banner to messages coming from outside your organization.  This is a simple way to highlight that extra scrutiny is needed for external emails. It can also identify when an adversary creates a fraudulent domain that looks similar to a healthcare and public health sector (HPH) legitimate domain.
  • Prohibit legacy email protocols, such as POP, IMAP, and SMTP1, that can be used to circumvent multi-factor authentication.
  • Ensure changes to mailbox login and settings are logged and retained for at least 90 days.
  • Enable alerts for suspicious activity, such as foreign logins.
  • Enable security features that block malicious emails, such as anti-phishing and anti-spoofing policies.
  • Configure Sender Policy Framework, DomainKeys Identified Mail, and Domain-based Message Authentication Reporting and Conformance to prevent spoofing and validate email.
  • Disable legacy account authentication.
  • Develop and maintain a policy on suspicious e-mails for end users; Ensure suspicious e-mails are reported. 
  • Apply patches/updates immediately after release/testing; Develop/maintain patching program if necessary. 
  • Implement an Intrusion Detection System (IDS); Keep signatures and rules updated. 
  • Implement spam filters at the email gateways; Keep signatures and rules updated. 
  • Block suspicious IP addresses at the firewall; Keep firewall rules updated. 
  • Implement whitelisting technology to ensure that only authorized software is allowed to execute. 
  • Implement access control based on the principle of least privilege. 
  • Implement and maintain anti-malware solutions. 
  • Conduct system hardening to ensure proper configurations. 
  • Disable the use of SMBv1 (and all other vulnerable services and protocols) and require at least SMBv2.
  • Domain-based Message Authentication Reporting and Conformance (DMARC).  The DMARC protocol enables domain owners to specify which authentication method is used when sending emails. DMARC helps email receivers determine if the purported message "aligns" with what the receiver knows about the sender. If not, guidance is provided on how to handle the message. 
  • Protect your web domain.  Consider hiring a firm that will notify you of web domains that have been registered to deceptively look like your own; cybercriminals can use lookalike domains in BEC attacks to trick your employees or business partners into diverting funds.
  • Data Mining.  Data mining abuse box/phishing reporting and using the intelligence gained to prevent future attacks.
  • Passwords.  
    - Review password policies to ensure they align with the latest NIST guidelines and deter the use of easy-to-guess passwords.
    - Review IT helpdesk password management related to initial passwords, password resets for user lockouts, and shared accounts.
    - Regularly audit user passwords against common password lists, using free or commercial tools.
    - Provide pragmatic advice to users on how to choose good passwords.

Proper callback procedures

An appropriate process requires an employee, typically a payments staff member, to pick up the phone and validate new payment requests, requests to establish a new bank account, changes to payment instructions, and changes to contact information.
  • Callbacks should be made to the actual person making the request using a phone number retrieved from a system of record when setting up a new account, processing a request for payment, changing payment instructions, or changing contact information. Be wary of vendors who frequently change payment instructions. Fraudsters will sometimes provide several different accounts to victims during a BEC fraud attempt.  Confirm all of the account details, including the new account number.
  • Do not confirm payment instructions only via email. Always perform a call back using a phone number from a system of record to the person making the request.
  • If a callback is not currently a part of your company’s payment control process, try to implement one or escalate the issue to someone who can.
  • If you receive a call from your financial institution asking you to validate an unusual payment, take it seriously. It could be your last chance to stop a fraudulent payment before it’s too late. Double-check that your controls have been properly executed. Do not assume a callback has been performed.  Pay close attention to the information provided and reconfirm that your organization performed all applicable controls, including a callback. It is common to confirm payments as valid only to later report them as fraudulent.
  • Understand that once a payment has been released, there are no guarantees the funds will be recovered.
  • Keep your contact information up to date if your financial institution needs to reach you.
  • Do not trust payment instructions provided by a business partner. Always validate that whoever is providing the instructions has performed a separate validating callback to the actual requestor.

BEC Methods

  • Spoof an email account or website. Slight variations on legitimate addresses (john.kelly@examplecompany.com vs. john.kelley@examplecompany.com) fool victims into thinking fake accounts are authentic.  The spoofed emails can be made to look like they are coming from anyone.  Scammers target employees with transactional authority (accounts payable, check signers, authorized individuals) or access to systems managing PII/W-2 data.  Emails often display a sense of urgency culminating in a request for money transfers, data, or gift cards.
  • Phishing emails. These messages look like they’re from a trusted sender to trick victims into revealing confidential information. That information lets criminals access company accounts, calendars, and data that gives them the details they need to carry out the BEC schemes.  Emails attempt to entice users to click on a link that will take the user to a fraudulent website that appears legitimate or clicks on malicious attachments.  This is an attempt by attackers to solicit personal information, such as account usernames and passwords, these fraudulent websites may also contain malicious code.
  • Cloud-based email services.  Cybercriminals are targeting organizations that use popular cloud-based email services to conduct Business Email Compromise (BEC) scams. The scams are initiated through specifically developed phish kits designed to mimic the cloud-based email services in order to compromise business email accounts and request or misdirect transfers of funds. Many phishing kits identify the email service associated with each set of compromised credentials, allowing the cybercriminal to target victims using cloud-based services. Upon compromising victim email accounts, cyber criminals analyze the content of compromised email accounts for evidence of financial transactions. Often, the actors configure the mailbox rules of a compromised account to delete key messages. They may also enable automatic forwarding to an outside email account.  Using the information gathered from compromised accounts, cyber criminals impersonate email communications between compromised businesses and third parties, such as vendors or customers, to request pending or future payments are redirected to fraudulent bank accounts. Cybercriminals frequently access the address books of compromised accounts as a means to identify new targets to send phishing emails. As a result, a successful email account compromise at one business can pivot to multiple victims within an industry.

    While most cloud-based email services have security features that can help prevent BEC, many of these features must be manually configured and enabled. Better protect yourself from BEC by taking advantage of the full spectrum of protections that are available.  Depending upon the provider, cloud-based email services may provide security features such as advanced phishing protection and multi-factor authentication that is either not enabled by default or are only available at additional cost.
  • Malware. Malicious software can infiltrate company networks and gain access to legitimate email threads about billing and invoices. That information is used to time requests or sends messages so accountants or financial officers don’t question payment requests. Malware also lets criminals gain undetected access to a victim’s data, including passwords and financial account information.  This data is then used to avoid raising suspicions when a falsified wire transfer is submitted
  • The bogus invoice scheme.  A business in a long-standing relationship with a supplier is asked to wire funds for settling invoice payments to a fraudulent account. Emails sent to employees with transactional authority (accounts payable, check signers, authorized individuals).  Threat actors may also send a link to what appears to be an invoice. The link may transmit sensitive information to the attackers or download malware. Threat actors target businesses with established relationships with a vendor or supplier.  Leveraging fake invoices, threat actors request payment through social engineering to a financial account under their control.
  • CEO fraud.  The CEO’s email account is spoofed or hacked, and a request to urgently transfer funds is sent to the employee who is responsible for processing these requests, or, sometimes, directly to the bank. It relies on employees executing orders from the top management without question. It is usually carried out under specific circumstances, such as when the CEO is out of office.
  • Compromised employee’s email account.  An employee’s personal account - used both for personal and business communication - is hacked and exploited to send requests to a list of vendors identified from his or her business contact list asking for invoice payments to a fraudulent bank account. This scam is tricky to identify unless a vendor directly contacts the company about the payment.
  • Attorney impersonation.  The con artists pose as lawyers or representatives of a law firm. They contact either an employee or the CEO of the company via phone call or email and claim to possess confidential information. They then push the target to act quickly or secretly in transferring funds. The scam usually takes place at the end of business days or weeks, when people are more vulnerable and ready to act quickly.
  • Data theft.  An employee’s email account is hacked and used to send a request to another employee in human resources, asking not for money but for personally identifiable information (PII) or tax statements.
  • Gift card.  In a typical example, a victim receives a request from their management to purchase gift cards for a work-related function or as a present for a special personal occasion. The gift cards are then used to facilitate the purchase of goods and services which may or may not be legitimate.  Some of these incidents are combined with additional requests for wire transfer payments. Sectors including technology, real estate, legal, medical, distribution and supply, and religious organizations have been targeted by this scam.
  • Direct deposit: In this variant, the scammers pose as the victim and email a direct deposit change request to the finance or human resources department. This results in the employee's paycheck being redirected to an account controlled by the scammer.
  • Vendor account change request: This variant is similar to the Direct Deposit Variant, although the request spoofs a vendor and requests the State, local, tribal, and territorial governments (SLTT) government modifies the vendor’s payment account. The next payment to the vendor is then sent to the updated account number, which belongs to the scammer.
  • Vendor purchase order: In this scheme, the scammers obtain publicly available purchase order forms and change the contact details on the forms to include different telephone numbers and email addresses. Occasionally, scammers create copycat websites to authenticate the contact information included on fraudulent purchase orders. The scammers submit the purchase order to a vendor, have the goods shipped, and sell them for profit while the bill goes to the affected entity.
  • Financial theft: In this variant, the scammers pose as an employee or senior official and request the department immediately wires money for a special purpose. Occasionally, the spoofed email will not directly reference a wire transfer, but rather specified that "transactions" need to be "set up and processed."

E-Mail Account Compromise (EAC) Schemes

Unlike BEC, EAC schemes target individuals instead of businesses. Individuals who conduct large transactions through financial institutions, lending entities, real estate companies, and law firms are the most likely targets of this type of scheme. EAC schemes often take the following forms:
  • Lending/Brokerage Services: A criminal hacks into and uses the e-mail account of a financial services professional (such as a broker or accountant) to e-mail fraudulent instructions, allegedly on behalf of a client, to the client’s bank or brokerage, to wire-transfer client’s funds to an account controlled by the criminal.
  • Real Estate Services: A criminal compromises the e-mail account of a realtor or of an individual purchasing or selling real estate, for the purposes of altering payment instructions and diverting funds of a real estate transaction (such as sale proceeds, loan disbursements, or fees). Alternately, criminals hack into and use a realtor’s e-mail address to contact an escrow company, instructing it to redirect commission proceeds to an account controlled by the criminal.
  • Legal Services: A criminal compromises an attorney’s e-mail account to access client information and related transactions. The criminal then e-mails fraudulent transaction payment instructions to the attorney’s financial institution. Alternatively, the criminal may compromise a client’s e-mail account to request wire transfers from trust and escrow accounts the client’s attorney manages.

BEC and Cryptocurrency

A cryptocurrency is a form of virtual asset that uses cryptography (the use of coded messages to secure communications) to secure financial transactions and is popular among illicit actors due to the high degree of anonymity associated with it and the speed at which transactions occur.

Currently, there are two known iterations of the BEC scam where cryptocurrency was utilized by criminals. In both situations, the victim is unaware that the funds are being sent to be converted to cryptocurrency.
  • A direct transfer to a cryptocurrency exchange (CE) - This scenario is where the fraudster alters wire transfer info and redirects payment to a cryptocurrency exchange (CE).
  • "Second Hop" transfer to a cryptocurrency exchange (CE) - Uses victims of other cyber-enabled scams such as Extortion, Tech Support, and Romance Scams. Often, these individuals provided copies of identifying documents such as driver's licenses, passports, etc., that are used to open cryptocurrency wallets in their names.  This scenario is where the fraudster opens a cryptocurrency wallet in another fraud victim's name.  The fraudster then alters a wire transfer in a BEC scam and sends the funds to the other victim's falsified cryptocurrency account and cashes out.  Making it hard to trace the movement of funds.

E-Mail Account Compromise (EAC) Schemes

BEC and EAC schemes are similar and, therefore, may exhibit similar suspicious behavior, which can be identified by one or more of the following red flags:
  • A customer’s seemingly legitimate e-mailed transaction instructions contain different language, timing, and amounts than previously verified and authentic transaction instructions.
  • Transaction instructions originate from an e-mail account closely resembling a known customer’s e-mail account; however, the e-mail address has been slightly altered by adding, changing, or deleting one or more characters. 
  • Multiple sets of wire instructions or change of wiring instructions provided. WIRE INSTRUCTIONS SHOULD NEVER CHANGE!
  • Poor grammar or odd use of terms / phrases used in the body of the email.
  • Sense of urgency – funds must be wired immediately.
  • Seller contacts Title Company via email, with payment instruction changes as opposed to the lender.
  • Recipient bank account doesn’t make sense.
    • Payee not a party to the transaction
    • Payee is law firm not involved in the transaction
    • Payee in an unrelated location (another state)
    • Beneficiary Bank is not a local bank
  • Email sent outside of normal business hours or using 24-hour clock (22:00 hrs. instead of 10:00pm).
  • Unexpected email with link to a document – likely a link with malware.
  • Sender’s email is similar to the legitimate email address. The changed email address could be often subtle (hover cursor over email address).
For example: 
  • Legitimate e-mail address - john-doe@abc.com
  • Fraudulent e-mail addresses - john_doe@abc.com, john-doe@bcd.com

Example of a Typical Business Email Compromise Case:

Customer initiates a $250,000 wire to Beneficiary Bank to a Lender. Proceeds are for a Mortgage Pay-off and are to be received by the Mortgage Lender. After a period of time, the Customer is contacted by the Lender, informing them of non-receipt of the loan payoff. Customer then contacts the Bank 30 days later, indicating that they believed they were a victim of a fraud and request a wire recall. The Beneficiary Bank could not honor the wire recall, because there were no longer funds in the Beneficiary Bank Account. The Customer incurs the loss of $250,000.

How the Scam was Executed: Prior to the closing, the Customer receives a Modified Closing Document (CD) via email from whom he thinks, is the Buyer/Borrower. The person(s) impersonating the Borrower indicates that the Lender was going to be sending via FAX a modified CD “as a result of a payoff error” (Red Flag). The Fraudster also claims the payoff amount would remain the same. The impersonator sends via email, the modified CD to the Customer. The wire is processed with the new instructions and sent to a bank account controlled by the Fraudster(s), per the fraudulent wire instructions. As mentioned, after 30 days, the Lender contacts the Customer to verify the status of the payoff. At this point it is determined that the updated instructions were not sent from the Borrower’s legitimate email, as it was spoofed by the Fraudster.

Account Take Overs can result from the compromise of account credentials and email accounts.

Case Scenario: Fraudster has obtained the account number and online banking log in credentials. They have also compromised the customer’s email account. They change the password on the account, with the verification code being sent to the email address on file. The fraudster has taken over the email account and can intercept bank authorization codes. Once the fraudster has access to the account, they can originate a payment (i.e., wire, ACH) and have the passcode sent to the email address on file. In some cases where dual control of wires is in place, the fraudster may steal the credentials of both employees.

How could this happen?
  • Shared credentials
  • Microsoft Outlook dual authentication disabled
  • Malware
  • Phishing
  • Dual Control is not really dual control (one person)
  • Lax security
There has been a recent move to go back to utilizing FAXING as a method of sharing and obtaining banking and wire information between Settlement Agents and Buyers/Sellers. Although using FAX technology may negate systemic hacking, remember that if email exchange was used in any part of the communication chain, using faxes to share banking information is open to cyber fraud.

Case Study

  • Prior to closing, Seller of property communicated via email with the Title/Settlement Company on obtaining their FAX number to provide Loan Payoff Information for their loan.
  • 2 weeks prior to the closing the Seller faxed the Pay Off Information they received from their Lender directly to the Settlement Company. Banking Information included the account title: Payoff Clearing Account
  • 2 Days prior to the Closing the Settlement Company received an updated FAX “From the Seller” which had a change to the pay Off Account Number and Information at the same Lender Bank: Payoff Toneberg Enterprise
  • Settlement Company used the banking information from the second FAX and wired $390,000.00 to the Lender Bank to “Pay Off” the Seller’s Mortgage.
  • Cyber Fraudsters compromised the Seller’s email account and followed the communication between the Settlement Company and The Seller. They gained access to the original payoff letter the Seller received from the Lender and created an exact duplicate of the original FAX. The second FAX made no reference of being an update.



Page Footer has no content