Don’t Fall Victim to the E-mail Compromise Scam
West African organized-crime rings have been targeting U.S. business with “business e-mail compromise” scams that are costing firms millions of dollars every year. Losses to businesses that are targeted by these scams hit an all-time high in the first quarter of 2018, with $685 million in losses reported by 4,081 victims. That’s more than the amount lost for all of 2017 in such scams: $675 million. The scammers send fake messages to businesses’ finance departments claiming to be a vendor for the company with an invoice requiring payment.
These criminals do research before targeting companies, meaning they go to company websites and look for the right people to send emails to. They may even pull annual reports and find what companies they do business with, and then spoof those accounts (meaning they impersonate other firms in the e-mails).
Some criminals will fake a CEO’s email account and e-mail that company’s finance office ordering payment to a certain account. In one case cited by Dow Jones Newswires, a real estate attorney received an email from the supposed sellers of a local property and asked the lawyer to wire the proceeds of the sale to the criminals’ bank account. The lawyer wired $246,218.83 to the scammers.
The main scams
Money request via compromised CEO account
- A criminal compromises or spoofs the e-mail account of an executive, such as the CEO.
- The criminal sends a request for a wire transfer from the compromised account to an employee who is responsible for processing these requests and is subordinate to the executive, such as the controller.
- The controller submits a wire payment request, as per instructions from his or her “boss.”
Invoice from supplier via spoofed email address
A fraudster compromises the email of a business user employed by their target company; for example, someone in accounts payable. This is how it’s done:
- The criminal monitors email of the business user, looking for vendor invoices.
- The criminal finds a legitimate invoice and modifies the beneficiary information, such as changing the routing number and account number to which payment is to be sent.
- The scammer then spoofs the vendor’s email to submit the modified invoice.
- Accounts payable, recognizing the vendor name and services provided, processes the invoice and submits a wire request for payment.
How to avoid getting burned
- Confirm an e-mailed monetary request purportedly from a company executive by creating a new e-mail and entering their known email address; don’t reply to the suspicious email as it will likely go to the criminal.
- The emails typically have a similar tone, urging secrecy and expedience. Set up your e-mail gateway to flag key words such as “payment,” “urgent,” “sensitive” or “secret.”
- Look for odd uses of the English language. Many of the scammers are foreigners abroad.
- Although the late-stage e-mails used in these scams may not contain malware, malicious code is often used as part of an overall scheme to initially compromise an employee’s e-mail account. So, make sure you have an effective malware detection solution in place.
- Register all domains that are slightly different from the actual company domain.
- Scrutinize all e-mail requests for transfer of funds to determine if the requests are out of the ordinary.
- Ask accounts payable staff to get to know the habits of your clients, including the details of, reasons behind, and amount of payments.
Whether you’re looking to protect your family, home or business, we have the experience you’re looking for.