“I can’t believe we almost fell for that.”…
When clients call SVB to report potential fraud, they are usually stunned that someone at their company was almost duped into transferring funds to a criminal. After all, our clients tend to be tech-savvy and well-informed. Unfortunately, so are the fraudsters working a lucrative racket known as business email compromise (BEC).
- As of June 2016, BEC fraud had drained a worldwide total of $3 billion from businesses of every size.
- In January 2017, the U.S. Department of Homeland Security’s Internet Crime Complaint Center (IC3) issued an alert describing a growing number of sophisticated scams classified as business email compromise (BEC) or email account compromise (EAC). These scams frequently use social engineering techniques to defraud businesses that regularly perform foreign wire transfer payments.
To help protect yourself so you don’t become the next fraud news story, first learn how criminals pull it off. We have an inside view into how these email frauds operate, and how you can fight back at each stage.
Step One: Fraudsters Do Their Homework
Every successful con artist starts by learning as much as possible about you and your business. The aim is to gather information that will make deceptions more credible. Prime sources include:
- Corporate websites, publications, press releases and public filings — these provide a window into your business and information about targets such as executives, partners, suppliers and customers.
- Social media — Twitter or Facebook updates may disclose that an executive is traveling, or reveal personal information that can make an attempted impersonation appear genuine.
- Business and/or personal email hacking/spoofing — fraudsters will spoof the executive’s email address or create a look-a-like domain to gather information about the target executive from 3rd party correspondence.
- Be aware of just how much information is publicly available — if anyone can find it, there’s no proof that someone who cites it is the person they claim to be. A controller at a client company gets an email request from her CEO to send a payment. The controller thinks to verify that she was really emailing with her CEO by asking the CEO for his son’s name. When she receives the correct answer, she goes ahead with the transfer. Unfortunately the transfer is sent to a fraudster who was prepared with the right answer.
- Limit the information you provide on social media profiles, especially about finance job responsibilities. Also avoid providing details on travel. Criminals often impersonate an executive whom they know is on the road and can’t be easily reached.
Step Two: Fraudsters Gain Access to Target Email Accounts
Fraudsters break in and lurk on the target’s email account, gathering information such as login credentials, so they can eventually pose as that individual and initiate a fraudulent funds transfer.
- It may be easy to gain access to the account if the target reuses a password that was stolen in another breach.
- Infecting the target with malware is a common way to get control of not only the individual’s email account, but other sensitive logins as well.
- For bank system access, use unique passwords, not already used for email accounts or online shopping sites, and set up two-factor authentication if available.
- Be scrupulously careful about opening email attachments or clicking on links sent to you.
- Have a comprehensive anti-malware suite installed on your system like IBM Security Trusteer Rapport*, which specifically watches for financial malware, to improve your odds of stopping an infection before it does damage.
Step Three: Fraudsters Craft a Persuasive Message
When the fraudster decides the time is right to strike, you may receive an email like one of these:
Hi CFO Dave!
Can you please wire $56,000 to this company and code to “admin expenses”? I’m getting ready to board my flight to NY so I’ll send you the supporting documentation when I land.
Note the urgency in the example above? That’s a common tactic, to encourage the recipient to act quickly and possibly bypass controls. Also, the fraudster used the CEO’s travel plan information to make the request seem more legitimate.
Hi Accounts Payable,
We switched banks and have a new account number and routing information. Please update your records in time for the next invoice payment. The new information follows below.
A Trusted Vendor
The vendor payment scam is so effective because there’s no request for a funds transfer, just a simple administrative request. It’s often not discovered until the vendor contacts your company 60 or 90 days later, looking for the payment — which you had actually sent to the fraudster.
We’re in the process of acquiring a company overseas. Please keep this to yourself as it’s highly confidential — just sending you an FYI, no need to act at this time. I’ll connect you to the lawyer brokering the deal when we’re ready to close.
In that example, the fraudster is playing a longer game by setting up the controller to trust an unknown third party. Later, the criminal may direct the controller or someone else to make payments to the lawyer brokering the bogus deal. This future email may originate from a hacked or cloned email account.
- Educate staff so that everyone who has the authority to issue payments or change payment information on your vendor file is familiar with the kinds of messages that may be fraudulent.
- Create secure business processes for initiating and approving payments. Require dual approvals in SVB Online Banking for all payments.
- Put a process in place to independently validate any requests to change vendor payment information. Vendor compromise is becoming more common, so this is particularly important.
- Always make a phone call to confirm that payment requests are legitimate. You must initiate the call, and don’t ask for a phone number via email. Remember: criminals may intercept any email you send.
The Bottom Line:
Email is an insecure vehicle. Be sure you’re using software to detect and block malware. To help block malware, you can download IBM Security Trusteer Rapport* directly from our website.
To learn more, please visit SVB’s Fraud Prevention Center or contact your SVB representative.
*Services may have monthly, per item, or per transaction costs. Contact your SVB representative for more information.
This material is provided for informational purposes only. The conclusions expressed are based upon limited information available to Silicon Valley Bank regarding your company's fraud detection and prevention programs, and should not be seen as a substitute for obtaining your own independent assessment of such programs. The security of your operating system and your procedures for conducting banking transactions with us remains your responsibility. Silicon Valley Bank is not responsible for any cost, claim or loss associated with your use of this material.