The FBI announced this week that federal authorities—including the Department of Justice and the FBI— coordinated a major law enforcement push to disrupt international business email compromise (BEC) schemes that intercept and hijack wire transfers from businesses and individuals.
The sting, called Operation WireWire, also included the Department of Homeland Security, Department of the Treasury, and the U.S. Postal Inspection Service. The six-month effort concluded with two weeks of intensive law enforcement activity resulting in 74 arrests in the U.S. and overseas, including 42 in the U.S., 29 in Nigeria, and three in Canada, Mauritius and Poland, the FBI reported.
Law enforcement officials also seized nearly $2.4 million and recovered about $14 million in fraudulent wire transfers. While a relatively small amount of the $5,302,890,448 lost in domestic and international schemes between October 2013 and December 2016, according to an Internet Crime Complaint Center (IC3) public service announcement, Operation WireWire shut down scams involving international criminal organizations that defrauded small- to large-sized businesses, while others involved individual victims who transferred high-dollar amounts or highly sensitive records.
The devastating financial losses to victims and victim companies affect not only the individual business and victim - but also the global economy, the FBI said.
Business email compromise defined
According to the FBI, business email compromise is defined as a sophisticated scam targeting businesses working with foreign suppliers and/or businesses that regularly perform wire transfer payments, and includes its variant, email account compromise (EAC).
The techniques used in the BEC/EAC scam have become increasingly similar, catching the attention of the IC3 which began tracking these scams as a single crime type in 2017. A scam is conducted when a fraudster compromises legitimate business email accounts through social engineering or computer intrusion techniques to conduct an unauthorized transfers of funds.
Most victims report using wire transfers as a common method of transferring funds for business purposes; however, some victims report using checks as a common method of payment. The fraudsters will use the method most commonly associated with their victim’s normal business practices. The scam has expanded to include requests for personally identifiable information (PII) or Wage and Tax Statement (W-2) forms for employees, and may not always be associated with a request for transfer of funds, the FBI reported.
The FBI said it is unknown how victims are selected; however, they do know that scammers study their victims using social engineering techniques prior to initiating a BEC scam. The scammers are able to accurately identify the individuals and protocols necessary to perform wire transfers within a specific business environment. Victims may also first receive phishing emails requesting additional details regarding the business or individuals being targeted, such as names, travel dates and more.
Other individuals reported being a victim of various Scareware or Ransomware cyber intrusions immediately prior to a BEC incident. These intrusions can initially be enabled through a phishing scam in which a victim receives an email from a seemingly legitimate source that contains a malicious link. The victim clicks on the link, and it downloads malware, allowing criminals easy access to the victim’s data, including passwords or financial account information, the FBI said.
The FBI said the BEC/EAC scam is not just directed at businesses, other forms of fraud linked to BEC/EAC schemes include: romance, lottery, employment and rental scams. The victims of these scams are usually U.S.-based and may be recruited as unwitting money mules. The mules receive fraudulent funds in their personal accounts and are then directed by a scammer to quickly transfer the funds to another bank account, usually outside the U.S. Mules may then, upon direction, open bank accounts and/or shell corporations to further the fraud scheme.
Based on financial data, Asian banks located in China and Hong Kong remain the primary destinations of fraudulent funds; however, financial institutions in the United Kingdom have also been identified as frequent destinations, according to the IC3.
These scams continue to grow. Between January 2015 and December 2016, there was a 2,370 percent increase in identified losses. Scams have been reported in all 50 states and in 131 countries. Victim complaints filed with the IC3 and financial sources indicate fraudulent transfers have been sent to 103 countries, the IC3 reported.
The FBI offers these self-protection strategies:
- Avoid free web-based email accounts; instead, establish a company domain name and use it to establish company email accounts.
- Be careful what you post to social media and company websites, especially job duties and descriptions, leadership and financial positions, and out-of-office details.
- Be suspicious of requests for secrecy or pressure to take action quickly.
- Consider additional IT and financial security procedures, including the implementation of a two-step verification process. For example:
- Establish out-of-band communication, such as telephone calls, to verify significant transactions. Arrange two-factor authentication early in the relationship and outside the email environment to avoid interception by a hacker.
- Use digital signatures — both parties of a transaction should utilize digital signatures. Security note: This will not work with web-based email accounts and be aware that some countries ban or limit the use of encryption.
- Immediately report and delete unsolicited email from unknown parties. Do not open spam email, click on links in the email, or open attachments. These often contain malware that will give hackers access to your computer system.
- Do not use the “Reply” option to respond to any business emails. Instead, use the “Forward” option and either type in the correct email address or select it from the email address book to ensure the intended recipient’s correct email address is used.
- Consider implementing two-factor authentication for corporate email accounts. Two-factor authentication mitigates the threat of a hacker gaining access to an employee’s email account through a compromised password by requiring two pieces of information to log in: (1) something you know (a password) and (2) something you have (such as a dynamic PIN or code).
- Beware of sudden changes in business practices. For example, if a current business contact suddenly asks to be contacted via their personal email address when all previous official correspondence has been through company email, the request could be fraudulent. Always verify via other channels that you are still communicating with a legitimate business partner.
- Create intrusion detection system rules that flag emails with extensions that are similar to company email. For example, a detection system for legitimate email of abc_company.com would flag fraudulent email from abc-company.com.
- Register all company domains that are slightly different than the actual company domain.
- Verify changes in vendor payment location by adding additional two-factor authentication such as having a secondary sign-off by company personnel.
- Confirm requests for transfers of funds. When using phone verification as part of two-factor authentication, use previously known numbers — not the numbers provided in an email request.
- Know the financial habits of your customers.
- Carefully scrutinize all email requests for transfers of funds to determine if the requests are out of the ordinary.
If you are a victim
If funds are transferred to a fraudulent account, the FBI advises that you act quickly:
- Contact your financial institution immediately upon discovering the fraudulent transfer.
Request that your financial institution contact the corresponding financial institution where the fraudulent transfer was sent.
- Contact your local FBI office if the wire is recent. The FBI, working with the United States Department of Treasury Financial Crimes Enforcement Network, might be able to help return or freeze the funds.
- File a complaint, regardless of dollar loss, with www.ic3.gov or, for BEC/EAC victims, bec.ic3.gov.