The Next Cybersecurity Threat: Your Email Inbox

As damaging as BEC scams are for businesses, EAC scams are hurting individuals at an alarming rate. These scams follow a similar workflow to BEC scams, targeting individuals usually associated with financial institutions, law firms and real estate companies. They also look for victims who are in the midst of a large purchase, such as a home, where they have to wire funds for closing.

Criminals executing EAC scams generally use two different techniques: account compromise and email spoofing. With account compromise, they hack into a victim’s account and monitor emails for invoices or payment information. Email spoofing requires the criminals to create a fake email address that mimicks the actual address, often replacing “O” with “0” or “_” instead of “-“.

After successfully scanning the victim’s inbox for payment information, the attacker updates the payment information with their account information and resends the email, making it seem legitimate. The criminal might infect an employee’s email account at a title company with malware and send incorrect wiring instructions to an excited home buyer. Or the attacker might spoof the title company’s email and send incorrect wiring instructions to the would-be buyer.

Other examples of EAC scams target consumers with legal, brokerage or lending services pending.

What can a financial institution do to help its customers?

There are many ways institutions can prevent or detect BEC and EAC scams to better protect themselves and their customers. Institutions need to implement greater communication and collaboration between their internal AML, fraud prevention and cybersecurity units. Many times, these groups are separately investigating the same criminals and are unaware of each other’s work.

Additionally, financial institutions can hold requests for international wire transfers for an additional period of time to verify the legitimacy of the request. A simple phone call to validate the transfer can save both the institution and the customer time and money.

Other methods of combatting this fraud include two factor authentication with accounts attempting transfers, a solid fraud detection solution, and educating businesses and consumers on the risks of these scams. Employees should be well-versed on the red flags so they can stop fraudulent transfers.

Education programs help businesses understand that they can reduce their risk of BEC/EAC scams if they:

• Avoid free web-based email accounts
• Are cautious with what is posted on company and personal social media sites and company websites, especially job duties/descriptions, hierarchal information, and out of office details
• Are suspicious of requests for secrecy or pressure to act quickly
• Create intrusion detection system rules that flag emails with similar extensions
• Register all company domains that are slightly different, including replacing letters with numbers (0 instead of O)
• Verify changes in vendor payment location
• Confirm requests for transfers of funds
• Scrutinize all email requests
• Install anti-virus or malware software

Financial institutions can also use basic KYC principals to protect their customers from these scams. Be aware of a customer’s typical wire transfer activity and verify any deviations.

Resources

FinCEN and the FBI have put out several advisories on BEC and EAC scams. The FBI’s May 4, 2017, Alert Number I-050417-PSA and FinCEN’s FIN-2016-A003 documents are good resources for financial institutions to review. In cases that result in a SAR filing, financial institutions should reference Advisory FIN-2016-A003 and include key terms such as BEC Fraud when a business is the victim and EAC Fraud when an individual is the victim.

Through education and awareness, both businesses and financial instutions can better protect themselves, their employees and their customers from these dibiltating scams.

John Meyer is the Chief Product Officer at Banker’s Toolbox, and has 15+ years of experience in the banking and technology industry. He has managed teams that provided teller, new account, internet banking, and BSA/CIP solutions for over 2,000 financial institutions. Meyer also led the design of a fraud detection engine built to safeguard over a million internet-banking users daily. Working with Banker’s Toolbox, he oversees the development of the risk management product suite, including BAM+, which helps financial institutions stop these types of malicious attacks.a by utilizing sophisticated detection algorithms that flag unusual wire, ACH, debit, and check activity to help you protect your customers. For more information visit, www2.bankerstoolbox.com/ilbankers.

$5,300,000,000,000… That’s how much cyber criminals have siphoned from businesses and consumers worldwide through business email compromise (BEC) and email account compromise (EAC) scams since 2013, according to the Internet Crime Complaint Center (IC3). The FBI noted that these scams have increased 136% worldwide from December 2016 to May 2018. 

BEC and EAC scams are very similar in how they attack their victims, causing companies to pay more attention to their cybersecurity. The biggest difference is that BEC scams target companies, while EAC scams are directed at victim’s personal accounts. Regardlesss, both are equally threatening to financial cybersecurity.

How Do These Scams Work? 

There are three basic stages to a BEC/EAC scam:

• Stage 1 – Compromising victim information and email accounts
• Stage 2 – Transmitting fraudulent transaction instructions
• Stage 3 – Executing unauthorized transactions

Stage 1 – BEC/EAC scams can be completed through a simple email exchange with a fraudulent look-alike email or with a more advanced email phishing scheme. Through social engineering or malware, fraudsters attempt to compromise a legitimate business e-mail account. If they cannot compromise an email, the scammer spoofs a valid email address by inserting a character such as a “0” (zero) in place of an “O” (capital letter O), making the fake email look realistic. 

Social engineering is the use of deception to manipulate individuals into giving out personal or confidential information, either in-person or through digital channels. The fraudsters monitor and study their selected victims prior to initiating the scam. This can be everything from diving deep into the victim’s social media accounts or physically infiltrating a business to gain information. The growth of the internet and social media has made social engineering significantly easier and less time consuming.

Now, instead of visiting a physical location, the scammers can get most of the needed information through a simple web search. According to the IC3, “The subjects are able to accurately identify the individuals and protocols necessary to perform wire transfers within a specific business environment. Victims may also first receive ‘phishing’ e-mails requesting additional details regarding the business or individual being targeted (name, travel dates, etc.).”

In other instances, victims of the BEC scam report being targeted by ransomware cyber intrusions immediately preceding a BEC incident, usually through a more complex phishing scam. A victim receives an e-mail from a seemingly legitimate source, such as a coworker, friend or vendor, that contains a link. When the victim clicks the link, they unknowingly download malware, which gives the criminals access to confidential or secure internal information. These malware programs allow the attacker to infiltrate the company’s email system or victim’s email account and learn their normal procedures for money transfer by reading through sent items folders.

Stage 2 – Once the criminals have the information they need, they send the payment information. Since wires are a quick international transfer vehicle, most BEC/EAC scams request wire transfers. According to the 2017 AFP Payments Fraud and Control Survey, checks are the second-most requested payment vehicle. ACH credits and corporate/commercial credit/debit cards are tied as the third-most frequent payment vehicle. 

Stage 3 - Often, the victim is asked to keep the transfer confidential and there is an element of urgency associated with the payment or transaction. Criminals are taking these scams one step further now, often calling the victim to follow up on the wire request, giving the transaction more preceieved legitimacy.

More advanced crime rings behind these scams regularly use “money mules” to move the transferred funds, making it harder for financial institutions to detect. Sometimes, the scam victims themselves are recruited as innocent money mules. Fraudsters also recruit mules from “work from home” postings or romance scemes. The mules receive the fraudulent funds in their personal accounts and are then directed by the fraudster to quickly transfer the funds to another financial institution account, usually outside the U.S. Most payments end up in Asian financial institutions with China and Hong Kong leading the way. The IC3 reported, however, that 113 other countries have also been recipients of these transfers.

So what’s the difference? 

BEC scams target a business that regularly performs wire transfer payments or works with foreign suppliers. Victims range from small businesses to large corporations and deal in a wide variety of goods and services, indicating that every business is at risk.

It is important to note that not every BEC scam contains a payment element. The criminals might also be asking for confidential information in the form of Personally Identifiable Information (PII) or Wage and Tax Statement (W-2) forms.

As damaging as BEC scams are for businesses, EAC scams are hurting individuals at an alarming rate. These scams follow a similar workflow to BEC scams, targeting individuals usually associated with financial institutions, law firms and real estate companies. They also look for victims who are in the midst of a large purchase, such as a home, where they have to wire funds for closing.

Criminals executing EAC scams generally use two different techniques: account compromise and email spoofing. With account compromise, they hack into a victim’s account and monitor emails for invoices or payment information. Email spoofing requires the criminals to create a fake email address that mimicks the actual address, often replacing “O” with “0” or “_” instead of “-“.

After successfully scanning the victim’s inbox for payment information, the attacker updates the payment information with their account information and resends the email, making it seem legitimate. The criminal might infect an employee’s email account at a title company with malware and send incorrect wiring instructions to an excited home buyer. Or the attacker might spoof the title company’s email and send incorrect wiring instructions to the would-be buyer.

Other examples of EAC scams target consumers with legal, brokerage or lending services pending.

What can a financial institution do to help its customers?

There are many ways institutions can prevent or detect BEC and EAC scams to better protect themselves and their customers. Institutions need to implement greater communication and collaboration between their internal AML, fraud prevention and cybersecurity units. Many times, these groups are separately investigating the same criminals and are unaware of each other’s work.

Additionally, financial institutions can hold requests for international wire transfers for an additional period of time to verify the legitimacy of the request. A simple phone call to validate the transfer can save both the institution and the customer time and money.

Other methods of combatting this fraud include two factor authentication with accounts attempting transfers, a solid fraud detection solution, and educating businesses and consumers on the risks of these scams. Employees should be well-versed on the red flags so they can stop fraudulent transfers.

Education programs help businesses understand that they can reduce their risk of BEC/EAC scams if they:

• Avoid free web-based email accounts
• Are cautious with what is posted on company and personal social media sites and company websites, especially job duties/descriptions, hierarchal information, and out of office details
• Are suspicious of requests for secrecy or pressure to act quickly
• Create intrusion detection system rules that flag emails with similar extensions
• Register all company domains that are slightly different, including replacing letters with numbers (0 instead of O)
• Verify changes in vendor payment location
• Confirm requests for transfers of funds
• Scrutinize all email requests
• Install anti-virus or malware software

Financial institutions can also use basic KYC principals to protect their customers from these scams. Be aware of a customer’s typical wire transfer activity and verify any deviations.

Resources

FinCEN and the FBI have put out several advisories on BEC and EAC scams. The FBI’s May 4, 2017, Alert Number I-050417-PSA and FinCEN’s FIN-2016-A003 documents are good resources for financial institutions to review. In cases that result in a SAR filing, financial institutions should reference Advisory FIN-2016-A003 and include key terms such as BEC Fraud when a business is the victim and EAC Fraud when an individual is the victim.

Through education and awareness, both businesses and financial instutions can better protect themselves, their employees and their customers from these dibiltating scams.

John Meyer is the Chief Product Officer at Banker’s Toolbox, and has 15+ years of experience in the banking and technology industry. He has managed teams that provided teller, new account, internet banking, and BSA/CIP solutions for over 2,000 financial institutions. Meyer also led the design of a fraud detection engine built to safeguard over a million internet-banking users daily. Working with Banker’s Toolbox, he oversees the development of the risk management product suite, including BAM+, which helps financial institutions stop these types of malicious attacks.a by utilizing sophisticated detection algorithms that flag unusual wire, ACH, debit, and check activity to help you protect your customers. For more information visit, www2.bankerstoolbox.com/ilbankers.