As reliant as the insurance industry (along with every other business) has become on email to manage client, vendor and partner communications, the fact remains that any such digital tool can leave individuals and firms open to a cybersecurity breach.
Even public entities have faced potentially devastating financial harm from what’s become known as business email compromise fraud, or “BEC.”
A recent report from the FBI’s Internet Crime Complaint Center found that BEC fraud was the crime that resulted in the highest reported losses. The Center indicated that in 2019 alone, it received 23,775 BEC/email account compromise complaints, with adjusted losses of over $1.7 billion.
Moreover, the Center has found that losses from BEC scams overall have increased every year since it began tracking them in 2013.
The impact of COVID-19
BEC fraud has proliferated during this year’s pandemic as bad actors exploit the challenges and workplace changes it has caused. The FBI warns government and health care entities in particular of rapidly emerging fraud trends related to procurement of personal protective equipment (PPE), medical equipment such as ventilators, and other supplies or equipment in short supply during the COVID-19 pandemic.
Federal authorities and regulatory groups continue to caution about BEC fraud and its growing prevalence. For example, in early May, the Financial Industry Regulatory Authority, Inc. (FINRA) issued a special alert warning the securities industry about BEC schemes, among other frauds.
Then, at the end of July, the Financial Crimes Enforcement Network (FinCEN) issued an advisory to alert financial institutions to potential indicators of cybercrime and cyber-enabled crime observed during the COVID-19 pandemic, including BEC fraud.
Exacly what is BEC?
The most basic form of a BEC scam essentially involves the same four common steps.
First, a criminal identifies a target and uses information available online to develop a profile of the company and its executives.
Then, the criminal contacts one or more company employees, often someone working in the finance department. The messages appear to come from a known source, such as a vendor the target company regularly deals with.
Next, the parties exchange information, with the victim believing that he or she is responding to a legitimate request and is conducting a legitimate business transaction involving a wire transfer using instructions provided by the fraudster.
Finally, the victim authorizes the wire transfer and funds are steered to a bank account controlled by the fraudster.
As the FBI has explained, there are various ways that criminals may carry out a BEC scam. A fraudster may:
- Spoof an email account or website. Slight variations on legitimate addresses ([email protected] versus [email protected]) can fool victims into thinking fake accounts are authentic.
- Send phishing emails. These messages look as if they are from a trusted sender to trick victims into revealing confidential information. That information lets criminals access company accounts, calendars, and data that gives them the details they need to carry out the BEC schemes.
- Use malware. Malicious software can infiltrate company networks and gain access to legitimate email threads about billing and invoices and let criminals gain undetected access to a victim’s data, including passwords and financial account information. Fraudsters use this information to time requests or send messages, so accountants or financial officers do not question payment requests.
Fraudsters often lurk undetected in the network for extended periods of time — sometimes a year or more — until they effectuate the fraud based on the information they have collected. Frequently, their presence in the network is not detected until the fraud is completed and the purloined funds are retransferred to one or more successive accounts in other locations that were created for that purpose.
Millions of dollars at risk
An actual BEC scam was at the heart of the 60-month prison sentence imposed late last year on a Lithuanian citizen, Evaldas Rimasauskas, in the U.S. District Court for the Southern District of New York. According to the U.S. Attorney for the Southern District of New York, the fraud induced two U.S.-based internet companies to wire a total of over $120 million to bank accounts Rimasauskas controlled. Before being sentenced, Rimasauskas pleaded guilty to one count of wire fraud.
The government explained that, beginning in or around 2013 and lasting through in or about 2015, Rimasauskas orchestrated a fraudulent scheme designed to deceive the Victim Companies — a multinational technology company and a multinational online social media company — into wiring funds to bank accounts he controlled. Specifically, the government asserted, Rimasauskas registered and incorporated a company in Latvia that bore the same name as an Asian-based computer hardware manufacturer, and opened, maintained, and controlled various accounts at banks located in Latvia and Cyprus in the name of Company-2.
Thereafter, fraudulent phishing emails were sent to employees and agents of the Victim Companies, which regularly conducted multi-million-dollar transactions with Company-1, directing that money the Victim Companies owed Company-1 for legitimate goods and services be sent to Company-2’s bank accounts in Latvia and Cyprus, which Rimasauskas controlled. These emails purported to be from employees and agents of Company-1 and were sent from email accounts that were designed to create the false appearance that they were sent by employees and agents of Company-1. The government contended, however, that the emails were neither sent nor authorized by Company-1 and that the scheme succeeded in deceiving the Victim Companies into complying with the fraudulent wiring instructions.
The government asserted that, after the Victim Companies wired funds intended for Company-1 to Company-2’s bank accounts in Latvia and Cyprus, Rimasauskas caused the stolen funds to be quickly wired into different bank accounts in various locations throughout the world, including in Latvia, Cyprus, Slovakia, Lithuania, Hungary, and Hong Kong.
COVID-19 has led to increases in fraud, including BEC fraud. The FBI recently cited examples of attempted BEC fraud involving COVID-19. According to the FBI:
- A financial institution received an email allegedly from the chief executive officer of a company who had previously scheduled a transfer of $1 million, requesting that the transfer date be moved up and the recipient account be changed “due to the coronavirus outbreak and quarantine processes and precautions.” The email address used by the fraudsters was almost identical to the CEO’s actual email address with only one letter changed.
- A bank customer was emailed by someone claiming to be one of the customer’s clients in China. The client requested that all invoice payments be changed to a different bank because its regular bank accounts were inaccessible due to “Corona Virus audits.” The victim sent several wires to the new bank account for a significant loss before discovering the fraud.
Lowering email scam risk
It would be a mistake, however, to assume that BEC fraud is aimed exclusively at large companies and financial institutions. To the contrary, smaller business enterprises and professionals often are targeted as their more “casual” social environment and fewer technological protections may make them more vulnerable than bigger, regulated businesses.
There are important steps that all companies can take to lower the risk of falling victim to a BEC fraud. For instance, all employees, including management, should know the red flags of BEC fraud, such as when a customer’s transaction instructions contain different language, timing, and amounts in comparison to prior transaction instructions, when the instructions contain multiple grammatical and typographic errors, or when emailed transaction instructions direct payment to a different account for a known beneficiary or request to move payment methods from checks to ACH transfers.
The slideshow above illustrates nine steps the FBI advises to educate employees about email safety.
Of course, if a company falls victim to a BEC fraud, it should immediately contact its financial institution and request that it contact the financial institution to which its funds were wired; that may allow the funds to be recovered before they are transferred out of the receiving institution. The company should also speak with legal counsel about whether and how to report the crime.
BEC fraud likely will be with us for quite some time to come. Undoubtedly, it also will morph into different forms. Imagine the trouble that a “deepfake” involving audio created to be that of a corporate executive can cause when combined with a BEC fraud. This is more than just a theoretical concern. Earlier this year, Federal Trade Commission staff examined voice cloning technologies that enable users to make near-perfect reproductions of a real person’s voice, observing that advances in artificial intelligence and text-to-speech (TTS) synthesis have allowed researchers to create a near-perfect voice clone with less than a five second recording of a person’s voice.
The bottom line: Now more than ever, all employees must be vigilant to lower the risk of BEC fraud.
Shari Claire Lewis, a partner in the Long Island office of Rivkin Radler, can be reached at [email protected].