Your Guide to Business Email Wire Transfer Scams
In March 2017, the U.S. Department of Justice charged a Lithuanian national with bilking two American tech companies out of $100 million, which they willingly wired to offshore bank accounts. He faked up invoices and contracts that looked so realistic the victims easily accepted them.
“It can’t happen here.”
That’s what many professionals think when they see those headlines screaming about the latest business email wire transfer scheme.
“We’re too smart to fall for that.”
You are smart. But you’re still susceptible to email wire transfer scams.
And the truth is, you know it.
Almost two-thirds (64%) of respondents in a Mimecast/Vanson Borne survey of business professionals acknowledged that cybercrime will result in a negative business impact this year. And almost three-quarters (74%) of participants in the 2017 AFP Payments Fraud and Control Survey admitted their organizations had been victims of business email compromise (BEC) in 2016. That’s up 10% from the prior year, and is expected to keep climbing.
So buckle up and get yourself up to speed on business email wire transfer fraud.
Email Wire Transfer Fraud: The Numbers Don’t Lie
Data from the FBI’s Internet Crime Complaint Center (IC3) show just how rampant email wire transfer fraud is – and how badly it’s impacting organizations’ bottom lines.
In the 18 months ending in December 2016 (the most recent data available), the FBI saw a whopping 2,370% increase in identified exposed losses from BEC and email account compromises (EAC) at small, medium and large businesses in the U.S. (For what it’s worth, America is the most frequent target for these kinds of attacks. Not a world-leading credential to brag about, is it?)
Impact of BEC/EAC Activities, June-December 2016
Total U.S. financial recipients:
Total U.S. financial recipient exposed dollar loss:
Source: FBI Public Service Announcement
The FBI estimates the average loss from BEC is about $130,000. That alone could wipe out a small business.
But, wait. There’s more. Factor in the cost of loss productivity from having to work with investigators, undertake employee training and other softer impacts and the true cost of any email wire transfer scam is even higher.
While we can’t avoid every intrusion a crafty hacker plans for our organization, we can fortify our defenses. Let’s start by looking at how and why these attacks occur.
Human Error: Why Email Wire Transfer Scams Work
Here’s the scary truth: About one in four U.S. victims wire money to fraudsters and scammers.
Assuming your enterprise is going to be the one that doesn’t fall for the scam is risky business. Not because your employees are idiots, but because they’re human. And they use email – a lot.
Email is an easy target for fraudsters because every organization thrives on it. Savvy scammers can remotely and anonymously gain access to your information, learn your organizational habits, and then launch an email-based attack.
Since employees are sending, receiving and processing tons of emails on any given day, they are naturally the weak link.
In fact, an organization’s own employees and contractors are the source of half of all incidents in which private or sensitive information is unintentionally exposed, according to a 2016 survey by the CERT Division of the Software Engineering Institute of Carnegie Mellon University and CSO Magazine.
Attackers know your “human firewall” is flawed so they target it -- and exploiting trust is step one on their path to success.
Anatomy of an Email Wire Transfer Scam
The FBI shared this example of a popular email wire transfer scam: the Supplier Swindle (also known as the bogus invoice or invoice modification scheme). Here’s how it works:
One of your regular vendors contacts you to say they’ve changed banks and need you to transfer payment for an invoice coming due to the new account. The official-looking email or letter of authorization looks like other correspondence you’ve gotten from this supplier, and the invoice amount is in the ballpark, so you agree to complete the transaction. But the email or fax was spoofed, created from easy to access logos, addresses, and even signatures right there on the public web.
This scenario showcases the four keys to successful email wire transfer fraud:
- Psychology. The transaction was a common request from a supplier, so the employee trusted both the sender of the email and the task.
- Credibility. The transfer wasn’t an outlandish sum of money, and the documentation looked authentic.
- Simplicity. The request was straightforward and uncomplicated.
- Urgency. The task was time-sensitive.
Scammers leverage these four factors to override our skepticism, so we trust the sender, we trust the contents, and we trust that we’re making the right decisions. Talk about evil genius.
There are two other factors that make this kind of fraud possible:
- Busyness. When we’re busy doing the same types of email-based transactions every day, we know the procedures and develop a false confidence. We may not have time to be extra cautious, especially if we expect the kind of transaction requested, the asks come from someone we expect and it arrives about when we expect it.
- Fear. This is a powerful motivator. Many of us are wary of pushing back to requestors because it may seem disrespectful or be seen as insubordination. Or we’re afraid of missing KPIs for timeliness or transactions completed. These fears can outweigh even the fear of unwillingly facilitating fraud.
Fight Back: Protect Yourself from Email Wire Transfer Fraud
Reducing your risk of getting taken by a fraudster requires a multi-layered approach to protection, including employee education, verification/validation processes and controls, and technology solutions.
According to the IC3, “Businesses with an increased awareness and understanding of the BEC/EAC scam are more likely to recognize when they have been targeted…, and are therefore more likely to avoid falling victim and sending fraudulent payments. Businesses that deploy robust internal prevention techniques at all levels (especially for front line employees who may be the recipients of initial phishing attempts) have proven highly successful in recognizing and deflecting BEC/EAC attempts.”
That’s probably why the AFP survey shows that 70% of organizations are taking proactive measures and have already deployed controls to lower the risk of BEC attacks.
Here are three areas to focus on:
1. Employee education extends responsibility for cyber security deep into your organization. Teaching staff about common fraudulent wire transfer tactics and alerting them to new ones is key.
- Show them what to look for, like .co instead of .com in URLs, sketchy reply-to addresses, or business requests coming from a contact’s personal email address.
- Quantify the business risk, so they understand how this kind of scam directly affects the company and their own livelihoods. Doing an email threat assessment can surface eye-popping evidence of susceptibility.
- Follow-up the training with audits and tests – and enforcing consequences – for failures.
2. Processes and controls are an important layer of protection deployed by employees. Common activities:
- Require personal verification above a certain dollar amount.
- Deploy out-of-band communications – like phone calls or texts – to validate requests. For example, if an accounts payable employee gets a vendor request to change bank wire accounts, your team member could be required to contact the supplier directly to ensure the request is real.
- Register domains that are similar to yours, including alternate spellings and special characters.
3. Technology solutions offer automated and more accurate protection so you can quickly and easily identify threats:
- Use an email intrusion detection solution to scan incoming messages in real time from domains and extensions similar to yours, or including keywords like “wire transfer”.
- Enable two-step authentication for corporate email accounts using limited time passcodes or texting login data to recipients.
- Provide protection across the entire workforce’s devices from corporate desktops and mobile devices to the cloud and employees' personal devices.
Properly safeguarding your organization from cybercrime requires a multi-front effort.
“Corporate leaders would be wise to understand that the future of cybersecurity lies not in a single-pronged approach or miracle tool but in solutions that recognize the importance of layering human readiness on top of technological defenses,” wrote Dante Disparte, founder and CEO of Risk Cooperative and Chris Furlow, president of Ridge Global the Harvard Business Review.
Though this multi-faceted approach can dramatically reduce the likelihood of falling prey to email wire transfer fraudsters, the truth is the risk is always there.
What to Do When Wire Transfer Fraud Happens to You
Time is, quite literally, money when you’re a victim of an email wire transfer scam. This is not the time to let pride keep you from owning up to the mistake and getting all hands on deck.
The FBI encourages victims to follow these steps:
- Contact your financial institution before you do anything else, and ask them to contact the bank you transferred to.
- Call the nearest FBI field office, which may be able to help return or freeze your money.
- File a BEC complaint with the IC3.