Millions lost due to wire transfer fraud
Millions of dollars have been lost due to a sophisticated scam targeting businesses working with foreign suppliers and/or firms that regularly perform wire transfer payments.
Millions of dollars have been lost due to a sophisticated scam targeting businesses working with foreign suppliers and/or firms that regularly perform wire transfer payments.
The scam is carried out by compromising legitimate business e-mail accounts through hacking or infiltration techniques to conduct unauthorised transfers of funds.
The Federal Bureau of Investigation (FBI) says business email compromise (BEC) fraud has seen a 270% increase in identified victims and exposed loss since January this year.
A total of 8.179 victims, both in and outside the US, with total exposed losses of $800m have been reported to the FBI since October 2013 to August this year.
Similar incidents identified by international law enforcement agencies during this same time period, bring the BEC exposed loss to over $1.2bn.
In an alert late August the FBI said businesses of all sizes are being targeted and the scam has been reported in all 50 US states and in 79 countries.
The fraudulent wire transfers were sent to 72 countries, mostly to banks in China and Hong Kong.
The fraudsters are known to use methods most commonly associated with their victim’s normal business practices - wire transfers in most cases, cheques in others.
These intrusions can initially be facilitated through a phishing scam in which a victim receives an e-mail from a seemingly legitimate source that contains a malicious link, said the FBI.
When the victim clicks on the link, it downloads malware, allowing the criminals unrestricted access to data, including passwords or financial account information.
A recent trend has been uncovered in which the fraudsters contact companies either by e-mail or phone and pretend to be lawyers or representatives of law firms claiming to be handling confidential or time-sensitive matters.
“Victims may be pressured by the fraudster to act quickly or secretly in handling the transfer of funds,” said the FBI, adding that this type of BEC scam may occur at the end of the business day or work week or be timed to coincide with the close of business of international financial institutions.
Raised awareness of the BEC scam has helped businesses detect the scam before international wire transfers are made, and some financial institutions are holding their customer requests for an additional period of time to verify the legitimacy of the request.
Businesses reported using the following new measures for added protection:
• Create intrusion detection system rules that flag e-mails with extensions that are similar to company e-mail. For example, legitimate e-mail of abc_company.com would flag fraudulent e-mail of abc-company.com.
• Register all company domains that are slightly different than the actual company domain.
• Verify changes in vendor payment location by adding additional two-factor authentication such as having a secondary sign-off by company personnel.
• Confirm requests for transfers of funds. When using phone verification as part of the two-factor authentication, use previously known numbers, not the numbers provided in the e-mail request.
• Know the habits of your customers, including the details of, reasons behind, and amount of payments.
• Carefully scrutinise all e-mail requests for transfer of funds to determine if the requests are out of the ordinary.
*Businesses affected by such scams may wish to enquire about ICC’s Commercial Crime Services’ FraudNet service, an international network of independent investigators specialising in asset recovery. More details can be found here.