Catalyst Corporate recently became aware of several fraud incidents targeting smaller credit unions on the East Coast, and it is likely the schemes may continue to move across the country.
Considering these incidents and another recent event in which a credit union lost a substantial amount due to Business Email Compromise, Catalyst Corporate reminds member credit unions to review and follow wire procedures.
It is imperative to confirm wire requests originating from emails, especially wires from an executive that requests secrecy.
In 2020, the FBI’s Internet Crime Complaint Center (IC3) received 19,369 Business Email Compromise (BEC)/Email Account Compromise (EAC) complaints with adjusted losses of more than $1.8 billion. This was the largest IC3-reported loss category by $1.2 billion.
What is Business Email Compromise and Email Account Compromise?
BEC/EAC is a scam that targets both businesses and individuals performing wire transfer payments. The scam is frequently carried out when a subject compromises legitimate business email accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds.
Initial BEC/EAC scams involved hacking or spoofing the email accounts of chief executive officers or chief financial officers. Fraudulent emails requested wire payments be sent to fraudulent locations. The scam has continued to evolve, resulting in compromised personal and vendor emails, spoofed lawyer emails, requests for W-2 information and targeting of the real estate sector.
While the specifics vary from case to case, there are five main scenarios for this scam:
- Business Executive Receiving or Initiating a Request for a Wire Transfer – a request for a wire transfer is spoofed from a high-level business executive to a second employee within the company who is typically responsible for processing these requests.
- Business Working with a Supplier – a business that has a longstanding relationship with a supplier is asked to wire funds for an invoice payment to an alternate, fraudulent account.
- Business Contacts Receiving Fraudulent Correspondence through Compromised Email – requests for invoice payments to a fraudster-controlled bank account are sent from an employee’s spoofed or hacked personal email to vendors identified from the employee’s contact list.
- Business Executive and Attorney Impersonation – fraudsters identify themselves as representatives of law firms and claim to be handling confidential or time-sensitive matters and request a transfer of funds.
- Data Theft – fraudulent requests are sent using a business executive’s compromised email to HR, bookkeeping or auditing asking for W-2 forms or personally identifiable information (PII).
What can be done?
The FBI offers a few tips to avoid becoming a victim:
- Be suspicious of requests for secrecy or to take action quickly
- Always confirm wire requests, and if the request is made by email, confirm with the person making the request via a channel other than email
- Exercise caution with a sudden change in business practices, such as a request to send a wire to a personal email instead of the usual business email address
- Scrutinize all email requests for anything out of the ordinary, such as a new vendor payment location
- Do not feel pressured to send a wire
One thing is certain. BEC/EAC will continue to take different shapes, as scammers become more sophisticated. Businesses with an increased awareness and understanding of the scam are more likely to recognize when they have been targeted by fraudsters and to avoid falling victim by sending them payments. Businesses that deploy robust internal prevention techniques at all levels – especially for front line employees who may be the recipients of initial phishing attempts – have proven highly successful in recognizing and deflecting BEC/EAC attempts.
See the full IC3 2020 Internet Crime Report here.