Back 

Email compromise fraud schemes

   read  

  Decrease Text Size Increase Text Size

Business Email Compromise (BEC) is a sophisticated scam targeting businesses working with foreign suppliers and/or businesses that regularly perform wire transfer payments. The scam is carried out by compromising legitimate business e-mail accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds.

Recommendations and Mitigations

Non-Technical Mitigations 

Social engineering safety
  • Be careful with what information you share online or on social media. By openly sharing things like pet names, schools you attended, links to family members, and your birthday, you can give a scammer all the information they need to guess your password or answer your security questions.
  • Be careful what you post to business networking sites like LinkedIn and your company website, especially information about who has which specific job duties. 
Training and awareness
  • Alerts for employees and customers regarding phishing scams targeting specific organizations or interest groups.
  • Reminders of policies in place such as account changes.
  • General information on phishing tactics posted to organization web site or emails.
  • Establish an employee testing program with phishing and BEC attempts that appear to come from your senior leaders and trusted business partners.
Establish out-of-band communication  
  • Use an alternate form of communication than email, such as a telephone call, to verify transactions over a particular dollar amount. And set up this verification process early in the business relationship. Do not use email to set up the verification process.
Standardize validation for payments and account changes
  • Establish with your customers and business partners how changes in account information will be communicated and validated.  Also confirm how you expect them to validate changes to your banking information.
Confirm significant or out-of-pattern changes
  • Beware of sudden changes in business practices. For example, if a vendor suddenly asks to be contacted at a personal email address when all previous official correspondence has been on a company email, verify via other channels that you are still communicating with your legitimate business partner.
  • Be especially wary if the requestor is pressing you to act quickly.
  • Verify payment and purchase requests in person if possible or by calling the person to make sure it is legitimate. You should verify any change in account number or payment procedures with the person making the request.
  • Watch for suspicious requests, such as a change in a vendor’s payment location.
  • Follow controls for the validation of new or revised payment information.
  • Escalate any concerns if a payment seems suspicious - even after performing a callback.
  • Be very suspicious if a vendor offers vague reasons for changes to a new account, such as tax audits or current events, e.g., "Due to COVID-19, we need to update our payment information…"
Create a social media policy
  • Construct, implement and enforce a social media policy that prohibits sharing details about company roles and responsibilities, so cybercriminals cannot develop a picture of your corporate structure, including addresses to target your employees.
Email
  • Don’t click on anything in an unsolicited email or text message asking you to update or verify account information. Look up the company’s phone number on your own (don’t use the one a potential scammer is providing).  Look up the number from an external source when calling and call the company to ask if the request is legitimate.
  • Check the "rules" setting on your account periodically to ensure that no one has set up auto-forwarding for your e-mails.
  • Email forwarding vs email reply. Instead of hitting reply on important emails, use the forward option and either type in the correct email address or select it from your email address book to ensure you’re using the real email address.
  • Be cautious about using out-of-office replies that give too much detail about when your executives are out of the mix.
  • Carefully examine the email address, URL, and spelling used in any correspondence. Scammers use slight differences to trick your eye and gain your trust.
  • Be careful what you download. Never open an email attachment from someone you don't know, and be wary of email attachments forwarded to you.
  • Avoid clicking on links or attachments from unknown senders. Doing so could download malware onto your company’s computers, making you vulnerable to a hack.

Technical Mitigations

  • Set up two-factor (or multi-factor) authentication on any account that allows it, and never disable it.  TFA/MFA aims to protect users if authentication credentials have been captured. The nature of changing token limits the attackers ability to leverage captured credentials.  
  • Avoid free web-based e-mail accounts. Establish a company domain name and use it to create formal e-mail addresses for your employees.
  • Label external emails to help prevent the impersonation of employees.  
  • Ensure emails originating from outside the organization are automatically marked before received. 
  • Prohibit automatic forwarding of email to external addresses.  detect email inbox forwarding rules that send all or selected emails to an external email address.
  • Add an email banner to messages coming from outside your organization.  This is a simple way highlight that extra scrutiny is needed for external emails. It can also identify when an adversary creates a fraudulent domain that looks similar to an HPH legitimate domain.
  • Prohibit legacy email protocols, such as POP, IMAP, and SMTP1, that can be used to circumvent multi-factor authentication.
  • Ensure changes to mailbox login and settings are logged and retained for at least 90 days.
  • Enable alerts for suspicious activity, such as foreign logins.
  • Enable security features that block malicious email, such as anti-phishing and anti-spoofing policies.
  • Configure Sender Policy Framework, DomainKeys Identified Mail, and Domain-based Message Authentication Reporting and Conformance to prevent spoofing and validate email.
  • Disable legacy account authentication.
  • Develop and maintain policy on suspicious e-mails for end users; Ensure suspicious e-mails are reported. 
  • Apply patches/updates immediately after release/testing; Develop/maintain patching program if necessary. 
  • Implement Intrusion Detection System (IDS); Keep signatures and rules updated. 
  • Implement spam filters at the email gateways; Keep signatures and rules updated. 
  • Block suspicious IP addresses at the firewall; Keep firewall rules are updated. 
  • Implement whitelisting technology to ensure that only authorized software is allowed to execute. 
  • Implement access control based on the principal of least privilege. 
  • Implement and maintain anti-malware solution. 
  • Conduct system hardening to ensure proper configurations. 
  • Disable the use of SMBv1 (and all other vulnerable services and protocols) and require at least SMBv2.
  • Domain-based Message Authentication Reporting and Conformance (DMARC).  The DMARC protocol enables domain owners to specify which authentication method is used when sending emails. DMARC helps email receivers determine if the purported message "aligns" with what the receiver knows about the sender. If not, guidance is provided on how to handle the message. 
  • Protect your web domain.  Consider hiring a firm that will notify you of web domains that have been registered to deceptively look like your own; cybercriminals can use lookalike domains in BEC attacks to trick your employees or business partners into diverting funds.
  • Data Mining.  Data mining abuse box/phishing reporting and using the intelligence gained to prevent future attacks.
  • Passwords.  
    - Review password policies to ensure they align with the latest NIST guidelines, and deter the use of easy-to-guess passwords.
    - Review IT helpdesk password management related to initial passwords, password resets for user lockouts, and shared accounts.
    - Regularly audit user passwords against common password lists, using free or commercial tools.
    - Provide pragmatic advice to users on how to choose good passwords.

Proper callback procedures

An appropriate process requires an employee, typically a payments staff member, to pick up the phone and validate new payment requests, requests to establish a new bank account, changes to payment instructions and changes to contact information.
  • Callbacks should be made to the actual person making the request using a phone number retrieved from a system of record when setting up a new account, processing a request for payment, changing payment instructions or changing contact information. Be wary of vendors who frequently change payment instructions. Fraudsters will sometimes provide several different accounts to victims during a BEC fraud attempt.  Confirm all of the account details, including the new account number.
  • Do not confirm payment instructions only via email. Always perform a call back using a phone number from a system of record to the person making the request.
  • If a callback is not currently a part of your company’s payment control process, try to implement one or escalate the issue to someone who can.
  • If you receive a call from your financial institution asking you to validate an unusual payment, take it seriously. It could be your last chance to stop a fraudulent payment before it’s too late. Double check that your controls have been properly executed. Do not assume a callback has been performed.  Pay close attention to the information provided and reconfirm that your organization performed all applicable controls, including a callback. It is common to confirm payments as valid only to later report them as fraudulent.
  • Understand that once a payment has been released, there are no guarantees the funds will be recovered.
  • Keep your contact information up to date if your financial institution needs to reach you.
  • Do not trust payment instructions provided from a business partner. Always validate that whoever is providing the instructions has performed a separate validating callback to the actual requestor.

BEC Methods

  • Spoof an email account or website. Slight variations on legitimate addresses (john.kelly@examplecompany.com vs. john.kelley@examplecompany.com) fool victims into thinking fake accounts are authentic.  The spoofed emails can be made to look like they are coming from anyone.  Scammers target employees with transactional authority (accounts payable, check signers, authorized individuals) or access to systems managing PII/W-2 data.  Emails often display a sense of urgency culminating in a request for money transfers, data, or gift cards.
  • Phishing emails. These messages look like they’re from a trusted sender to trick victims into revealing confidential information. That information lets criminals access company accounts, calendars, and data that gives them the details they need to carry out the BEC schemes.  Emails attempt to entice users to click on a link that will take the user to a fraudulent website that appears legitimate or click on malicious attachments.  This is an attempt by attackers to solicit personal information, such as account usernames and passwords, these fraudulent websites may also contain malicious code.
  • Cloud-based email services.  Cyber criminals are targeting organizations that use popular cloud-based email services to conduct Business Email Compromise (BEC) scams. The scams are initiated through specifically developed phish kits designed to mimic the cloud-based email services in order to compromise business email accounts and request or misdirect transfers of funds. Many phishing kits identify the email service associated with each set of compromised credentials, allowing the cyber criminal to target victims using cloud-based services. Upon compromising victim email accounts, cyber criminals analyze the content of compromised email accounts for evidence of financial transactions. Often, the actors configure mailbox rules of a compromised account to delete key messages. They may also enable automatic forwarding to an outside email account.  Using the information gathered from compromised accounts, cyber criminals impersonate email communications between compromised businesses and third parties, such as vendors or customers, to request pending or future payments be redirected to fraudulent bank accounts. Cyber criminals frequently access the address books of compromised accounts as a means to identify new targets to send phishing emails. As a result, a successful email account compromise at one business can pivot to multiple victims within an industry.

    While most cloud-based email services have security features that can help prevent BEC, many of these features must be manually configured and enabled. Better protect yourself from BEC by taking advantage of the full spectrum of protections that are available.  Depending upon the provider, cloud-based email services may provide security features such as advanced phishing protection and multi-factor authentication that are either not enabled by default or are only available at additional cost.
  • Malware. Malicious software can infiltrate company networks and gain access to legitimate email threads about billing and invoices. That information is used to time requests or send messages so accountants or financial officers don’t question payment requests. Malware also lets criminals gain undetected access to a victim’s data, including passwords and financial account information.  This data is then used to avoid raising suspicions when a falsified wire transfer is submitted
  • The bogus invoice scheme.  A business in a long-standing relationship with a supplier is asked to wire funds for settling invoice payments to a fraudulent account. Emails sent to employees with transactional authority (accounts payable, check signers, authorized individuals).  Threat actors may also send a link to what appears to be an invoice. Link may transmit sensitive information to the attackers or download malware. Threat actors target businesses with established relationships with a vendor or supplier.  Leveraging fake invoices, threat actors request payment through social engineering to a financial account under their control.
  • CEO fraud.  The CEO’s email account is spoofed or hacked, and a request to urgently transfer funds is sent to the employee who is responsible for processing these requests, or, sometimes, directly to the bank. It relies on employees executing orders from the top management without question. It is usually carried out under specific circumstances, such as when the CEO is out of office.
  • Compromised employee’s email account.  An employee’s personal account - used both for personal and business communication - is hacked and exploited to send requests to a list of vendors identified from his or her business contact list asking for invoice payments to a fraudulent bank account. This scam is tricky to identify unless a vendor directly contacts the company about the payment.
  • Attorney impersonation.  The con artists pose as lawyer or representative of a law firm. They contact either an employee or the CEO of the company via phone call or email, and claim to possess confidential information. They then push the target to act quickly or secretly in transferring funds. The scam usually takes place at the end of business days or weeks, when people are more vulnerable and ready to act quickly.
  • Data theft.  An employee’s email account is hacked and used to send a request to another employee in human resources, asking not for money but for personally identifiable information (PII) or tax statements.
  • Gift card.  In a typical example, a victim receives a request from their management to purchase gift cards for a work related function or as a present for a special personal occasion. The gift cards are then used to facilitate the purchase of goods and services which may or may not be legitimate.  Some of these incidents are combined with additional requests for wire transfer payments. Sectors including technology, real estate, legal, medical, distribution and supply, and religious organizations have been targeted by this scam.

What to look for in an email:

  • Suspicious email address of sender.  Email address of sender(s) can mimic legitimate businesses. Threat actors often leverage email addresses that resemble reputable organizations, but alter or omit a few letters and numbers.
  • Generic greetings and signatures.  Lack of contact information in an email signature block, or generic greetings such as "Sir/Ma’am" or "Dear Valued Customer" are strong indicators of a phishing email.
  • Misspelling and layout.  Odd sentence structure, misspellings, poor grammar, and inconsistent formatting are strong indicators of a potential phishing attempt.
  • Spoofed websites and hyperlinks.  When hovering a cursor over links in body of an email, if links do not match, the link may be spoofed. Malicious variations from legitimate domains leverage different spellings or domains such as .net, vs .com. Other tactics include usage of URL shortening services to conceal the true destination of links.
  • Suspicious attachments.  Unsolicited emails which request users to open or download attachments are common delivery mechanisms for malware.

Common Indicators (Red Flags):

  • E-mailed transaction instructions direct payment to a known beneficiary; however, the beneficiary’s account information is different from what was previously used.
  • E-mailed transaction instructions direct wire transfers to a foreign bank account that has been documented in customer complaints as the destination of fraudulent transactions.
  • E-mailed transaction instructions direct payment to a beneficiary with which the customer has no payment history or documented business relationship, and the payment is in an amount similar to or in excess of payments sent to beneficiaries whom the customer has historically paid.
  • E-mailed transaction instructions include markings, assertions, or language designating the transaction request as "Urgent," "Secret," or "Confidential."
  • E-mailed transaction instructions are delivered in a way that would give the financial institution limited time or opportunity to confirm the authenticity of the requested transaction.
  • E-mailed transaction instructions originate from a customer’s employee who is a newly authorized person on the account or is an authorized person who has not previously sent wire transfer instructions.
  • A customer’s employee or representative e-mails financial institution transaction instructions on behalf of the customer that are based exclusively on e-mail communications originating from executives, attorneys, or their designees. However, the customer’s employee or representative indicates he/she has been unable to verify the transactions with such executives, attorneys, or designees.
  • A customer e-mails transaction requests for additional payments immediately following a successful payment to an account not previously used by the customer to pay its suppliers/vendors. Such behavior may be consistent with a criminal attempting to issue additional unauthorized payments upon learning that a fraudulent payment was successful.
  • A wire transfer is received for credit into an account; however, the wire transfer names a beneficiary that is not the account holder of record. This may reflect instances where a victim unwittingly sends wire transfers to a new account number, provided by a criminal impersonating a known supplier/vendor, while thinking the new account belongs to the known supplier/vendor, as described in the above BEC Scenario 3. This red flag may be seen by financial institutions receiving wire transfers sent by another financial institution as the result of e-mail-compromise fraud.

Develop a BEC Response Plan

The sooner you report a BEC attack, the better your chances of recovering losses. Be sure to have a plan in place to immediately notify your financial institution of the fraud. For international wire transfers over $50,000, call your regional FBI office (https://www.fbi.gov/contact-us/field-offices) and local police.  The FBI offers a Financial Fraud Kill Chain (FFKC) process to help recover large international wire transfers stolen from the United States.  The FFKC is intended to be utilized as another potential avenue for U.S. financial institutions to get victim funds returned. Any wire transfers that occur outside of these thresholds should still be reported to law enforcement (http://www.ic3.gov/) but the FFKC cannot be utilized to return the fraudulent funds.  The plan should also include quickly engaging your IT and information security staff to determine if there has been a network or email compromise.

E-Mail Account Compromise (EAC) Schemes

Unlike BEC, EAC schemes target individuals instead of businesses. Individuals who conduct large transactions through financial institutions, lending entities, real estate companies, and law firms are the most likely targets of this type of scheme. EAC schemes often take the following forms:
  • Lending/Brokerage Services: A criminal hacks into and uses the e-mail account of a financial services professional (such as a broker or accountant) to e-mail fraudulent instructions, allegedly on behalf of a client, to the client’s bank or brokerage, to wire-transfer client’s funds to an account controlled by the criminal.
  • Real Estate Services: A criminal compromises the e-mail account of a realtor or of an individual purchasing or selling real estate, for the purposes of altering payment instructions and diverting funds of a real estate transaction (such as sale proceeds, loan disbursements, or fees). Alternately, a criminal hacks into and uses a realtor’s e-mail address to contact an escrow company, instructing it to redirect commission proceeds to an account controlled by the criminal.
  • Legal Services: A criminal compromises an attorney’s e-mail account to access client information and related transactions. The criminal then e-mails fraudulent transaction payment instructions to the attorney’s financial institution. Alternatively, the criminal may compromise a client’s e-mail account to request wire transfers from trust and escrow accounts the client’s attorney manages.

E-Mail Account Compromise (EAC) Schemes

BEC and EAC schemes are similar and, therefore, may exhibit similar suspicious behavior, which can be identified by one or more of the following red flags:
  • A customer’s seemingly legitimate e-mailed transaction instructions contain different language, timing, and amounts than previously verified and authentic transaction instructions.
  • Transaction instructions originate from an e-mail account closely resembling a known customer’s e-mail account; however, the e-mail address has been slightly altered by adding, changing, or deleting one or more characters. 
For example: 
  • Legitimate e-mail address - john-doe@abc.com
  • Fraudulent e-mail addresses - john_doe@abc.com, john-doe@bcd.com
Unlike BEC, EAC schemes target individuals instead of businesses. Individuals who conduct large transactions through financial institutions, lending entities, real estate companies, and law firms are the most likely targets of this type of scheme. EAC schemes often take the following forms:
  • Scenario 1 Lending/Brokerage Services: A criminal hacks into and uses the e-mail account of a financial services professional (such as a broker or accountant) to e-mail fraudulent instructions, allegedly on behalf of a client, to the client’s bank or brokerage, to wire-transfer client’s funds to an account controlled by the criminal.
  • Scenario 2Real Estate Services: A criminal compromises the e-mail account of a realtor or of an individual purchasing or selling real estate, for the purposes of altering payment instructions and diverting funds of a real estate transaction (such as sale proceeds, loan disbursements, or fees). Alternately, a criminal hacks into and uses a realtor’s e-mail address to contact an escrow company, instructing it to redirect commission proceeds to an account controlled by the criminal.
  • Scenario 3 Legal Services: A criminal compromises an attorney’s e-mail account to access client information and related transactions. The criminal then e-mails fraudulent transaction payment instructions to the attorney’s financial institution. Alternatively, the criminal may compromise a client’s e-mail account to request wire transfers from trust and escrow accounts the client’s attorney manages.











eFraud Prevention™, LLC