SCAM ALERT – BUSINESS EMAIL COMPROMISE SCAM
Be absolutely sure that email came from your boss before you send the wire…
A new scam has been making the rounds, affecting 7,066 businesses in the US to date and exposing $747,659,840.63 to potential theft[i]. According to the FBI, “The Business Email Compromise (BEC) scam is defined as a sophisticated scam targeting businesses working with foreign suppliers and/or businesses that regularly perform wire transfer payments. The scam is carried out by compromising legitimate business e-mail accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds.”
Most victims report using wire transfers as a common method of transferring funds for business purposes; however, some victims report using checks as a common method of payment. The fraudsters will use the method most commonly associated with their victim’s normal business practices.
There are many versions of this scam, however one of the most concerning is this: the scammer hacks into the email of the President of the company (or creates an email with an extension that similar to company e-mail so it appears to be from the company president) and creates a fraudulent email requesting a wire be sent immediately. The email is then sent to the financial department (if they hacked in they can determine who usually received wire transfer request) the correct individual in your organization who then promptly sends the wire. The timing of the request will typically coincide closely with the wire cut off – heightening the “emergency” nature of getting the wire out and leaving little time to double check the accuracy of the request.
What can you do? The FBI has issued various tips on how to protect yourself, but one easy way – have your company start a policy of requiring verbal confirmation of all wire transfers. The policy would require the initial written direction be received by email, but before the wire will be initiated your controller or CFO would call the person directing the wire and receive a secondary verbal confirmation – preferably live confirmation and not simply a voicemail. This may slow down the process – especially if your President travels frequently and can be hard to reach – but it will also stop the scam in its tracks.
Some other recommendations from the FBI:
- Create intrusion detection system rules that flag e-mails with extensions that are similar to company e-mail. For example, legitimate e-mail ofabc_company.com would flag fraudulent e-mail of abc-company.com.
- Register all company domains that are slightly different than the actual company domain.
- Verify changes in vendor payment location by adding additional two-factor authentication such as having a secondary sign- off by company personnel.
- Confirm requests for transfers of funds. When using phone verification as part of the two-factor authentication, use previously known numbers, not the numbers provided in the e-mail request.
- Know the habits of your customers, including the details of, reasons behind, and amount of payments.
- Carefully scrutinize all e-mail requests for transfer of funds to determine if the requests are out of the ordinary.
For more information on the Business Email Compromise (BEC), the FBI recently issued an update. Cybersecurity Insurance is also on the rise, so contact your broker for more information about this insurance protection.
If you feel you have been a victim of this scam or for more information about cyber scams, or would like to schedule a free initial consultation, please contact Waltz, Palmer & Dawson, LLC at (847)253-8800 or contact us online.
Waltz, Palmer & Dawson, LLC is a full-service law firm with various areas of service to assist your business, including: Employment Law, Intellectual Property, Commercial Real Estate, Business Immigration, Litigation and general Business Law services. Individual services include Estate Planning, Wills and Trusts, Probate, Guardianship, Divorce and Family Law.
This article constitutes attorney advertising. The material is for informational purposes only and does not constitute legal advice.
[i] According to Federal Bureau of Investigations Alert Number I-082715a-PSA