FBI Alert: Business Email Scam Losses Exceed $1.2 BillionExperts Say Incidents Are Underreported, Offer Tips on Minimizing Risks
The FBI, in a new alert, estimates that fraud losses linked to so-called business email compromise scams worldwide totaled more than $1.2 billion from October 2013 to August 2015. But some financial fraud experts say the losses from this largely overlooked threat could be even higher because the incidents often are not reported.
See Also: Secure Access in a Hybrid IT World
David Pollino, bank fraud prevention officer at Bank of the West, who calls these scams "masquerading" schemes, has warned of upticks in this type of wire fraud since January 2014.
In May, he predicted that losses linked to masquerading, or business email compromise attacks, in 2015 alone would exceed $1 billion. "This is a global fraud trend," he said.
In a white paper Bank of the West recently posted about this fraud trend, Pollino notes that masquerading attacks are among the top three fraud threats facing small businesses today.
"Masquerading is a payments scheme in which a fraudster impersonates a company executive or outside vendor and requests a wire transfer through a phone call or email to a company controller, or someone else with authority to wire funds," Pollino writes. "The controller will usually tell the business' bank to wire the funds because the email or phone call seems legitimate."
Fraudsters' social-engineering methods include sending these bogus requests to accounting departments with a sense of urgency, Pollino notes. To speed up payments, the fraudsters often ask the bank or credit union to bypass the normal out-of-band authentication and transaction verification processes in place for wires, especially those being sent to overseas accounts, he says.
"For the third consecutive year, three in five companies were targets of payments fraud," which includes BEC scams, Pollino points out, quoting statistics in the Association for Financial Professionals' 2015 Payments Fraud and Control Survey.
To mitigate risks associated with these scams, Pollino recommends that businesses:
- Develop an approval process for high-dollar wire transfers;
- Use a purchase order model for wire transfers, to ensure that all transfers have an order reference number that can be verified before approval; Confirm and reconfirm transfers through out-of-band channels, such as a confirmation emails or SMS/texts; and
- Notify the banking institution if a request for a transfer seems suspicious or out-of-the-norm.
In its Aug. 27 alert, the FBI notes that most of the companies that have fallen victim to BEC scams have been asked to send urgent wires to foreign bank accounts, most of which are based in China and Hong Kong.
"The BEC scam continues to grow and evolve and it targets businesses of all sizes," the FBI notes. "There has been a 270 percent increase in identified victims and exposed loss since January 2015. The scam has been reported in all 50 states and in 79 countries."
From October 2013 through August 2015, the FBI estimates that some 7,066 U.S. businesses and 1,113 international businesses fell victim to this socially engineered scheme.
Quantifying Losses a Challenge
But quantifying losses from BEC scams has proven challenging because many of the incidents are not reported.
"Certainly these losses are understated, because many companies are not reporting them to the FBI due to embarrassment, lack of knowledge of where to turn, or the realization that there is no chance of retrieving their funds," says financial fraud expert Shirley Inscoe, an analyst at consultancy Aite. "So much money is being stolen through this scam that it is only going to continue, costing businesses billions of dollars."
In an effort to curb losses associated with these socially engineered schemes, Inscoe says financial institutions must educate their commercial customers about how these types of attacks are waged.
And she contends that the Asian banks to which these fraudulent wires are being sent should be held accountable. "Clearly, these banks are assisting in laundering these ill-gotten gains," she says. "An appeal could be made to their regulators to crack down on them from a money-laundering perspective, but I have no idea how receptive the regulators would be to that avenue of action."
Dave Jevans, co-founder of the Anti-Phishing Working Group and vice president of threat-intelligence firm Proofpoint, says federal law enforcement agencies have been strengthening their relationships with agencies in Asian markets to help curb some of this fraud.
"They can always work more closely with the financial institutions in these regions to monitor activity. However, it is really up to the originating companies and their U.S. financial institutions to solve this problem," he says. "Law enforcement is about investigating and arresting criminals. They are not a regulatory agency, nor are they a fraud-detection agency."
Jevans argues that the solution to the BEC problem is ensuring that businesses have stronger internal controls and targeted attack prevention on their email systems. "Banks can help their customers get educated, and can strengthen their validation processes and requirements when funds are being requested to be sent to new, untrusted accounts," he says. "Only focusing on overseas accounts won't solve the problem, and many of the smaller BEC frauds are routed through money mule accounts here in the USA."
Tom Kellermann, chief cybersecurity officer at the security firm Trend Micro, says businesses have to understand that bypassing banks' procedures for wire-transfer confirmation is exposing them to fraud.
"Internal procedures should change to ensure that all requests for the transfer of funds be verified," Kellermann says.
Kellermann says businesses' employees should be trained to carefully examine the URLs from which emails are sent. Spoofed email addresses, for instance, will be slightly different yet resemble legitimate email addresses. And he says all external wire transfers should be required to have some type of out-of-band confirmation, through a secondary email, phone call or SMS/text, before they are approved and scheduled.
Stronger email authentication and adoption of DMARC, the Domain-based Message Authentication, Reporting & Conformance initiative, could have a big impact on reducing fraud losses related to BEC, Kellerman contends.
Fraud expert Avivah Litan, an analyst at the consultancy Gartner, says identify-proofing technology, which requires that an online account user provide a headshot or picture of a driver's license captured with a mobile phone, could make a difference.
More banking institutions are exploring identity-proofing to authenticate new-account customers, Litan says, by employing the same technology they use for the remote-deposit capture of check images from smart phones and PC scanners.
"Perhaps this technology for identity proofing and documents transfer [such as check images] can be rolled out to the customer sites," she says. "Now you start asking the person requesting the wire to prove who they are by saying, 'Sorry, CEO, but before I act on your instructions, I need to see your driver's license.'"