BEC: Recognize a scam

Business email compromise (BEC) is defined as a sophisticated scam targeting businesses that regularly make payments. To help you recognize the characteristics of these threats, we explain two common variants — the CEO impersonation and the payment instruction switch.

Tags: BEC, Fraud protection, Risk mitigation
Published: April 05, 2018

Business email compromise (BEC) is an increasing menace to small, medium and large organizations across the globe. The two situations outlined below are fictional, but based on real-world events. 
 

Scenario one: The CEO impersonation

The most common variant of the BEC scam is the CEO impersonation.


The pre-event set-up

In preparation to target fictitious company, “Computercorp” for their next scheme, fraudsters:

  • Perform an investigation to identify the management structure as well as key individuals within the company who are the most likely to process financial transactions.
  • Use searches like Google and LinkedIn to identify key individuals such as the CEO (Judy Exec) and the Controller (Henry Ledger).
  • Identify the email-naming format for the company through additional searches, and discover Judy Exec is on vacation through her social media account.
  • Create a lookalike domain (cmputercorp.com) through an online marketing company that offers free trial domain registration and hosting. They then set up a lookalike email address for Judy Exec to use during the impersonation.
  • Generate a PDF with payment instructions to an account they own.

The scam

The fraudsters initiate an email to the Computercorp controller, Henry Ledger, to begin the fraud scheme. They were able to procure a similar domain name to the one Computercorp uses. Notice below how the email is originated from fraudulent cmputercorp.com to a real employee at computercorp.com.

Initial email from the fraudsters:

From: Judy Exec <judy.exec@cmputercorp.com>

To: Henry Ledger <henry.ledger@computercorp.com>

Subject: Urgent payment

Henry,

What is the cutoff time for wires? I need to have this payment sent ASAP.

<Attached: PaymentInstruction.pdf>

-Judy

Sent from My iPhone

Response from the controller:

From: Henry Ledger <henry.ledger@computercorp.com>

To: Judy Exec <judy.exec@cmputercorp.com>

Subject: Re: Urgent Payment

Hi Judy,

Wires must be processed prior to 2:00 PM PT. How should I code the transfer?

-Henry

Final response from fraudsters:

From: Judy Exec <judy.exec@cmputercorp.com>

To: Henry Ledger <henry.ledger@computercorp.com>

Subject: Re: Urgent payment

Please code to my admin for now. Thanks.

-Judy

Sent from My iPhone

 

With this information in place, Henry hurries to initiate the wire transfer to the account in the payment instructions. Dual authorization is required. When the secondary approver calls Henry, he confirms that the request came directly from the CEO and is urgent. The secondary approver also approves the wire.

The money is sent to the fraudulent account.

The aftermath

Computercorp CEO Judy Exec returns from vacation. Henry sends her a note to confirm the allocation of the funds from the wire. Judy calls Henry immediately, claiming that she didn’t send instructions for a wire.

Henry contacts their bank to request a funds recall. The bank initiates the recall, but the funds moved from the fraudulent account and are no longer available. Next, Computercorp contacts their local FBI field office and reports the fraudulent event to the Internet Crime Complaint Center (IC3).

Because of this event, Computercorp strengthens their wire authorization controls by implementing callback procedures for all requested wire transactions.
 

Scenario two: The payment instruction switch

Another scenario involves fraudulently changing a known supplier’s payment instructions to divert funds to an account owned by criminals or their accomplices.

The pre-event set-up

An organized crime group targets fictitious company, “ABC Corp,” a U.S.-based global manufacturing company that makes frequent payments to foreign suppliers for goods and services. The crime group:

  • Identifies an ABC Corp overseas supplier by the name of “XYZ Supply.”
  • Compromises the email accounts of several XYZ Supply account reps who are using weak passwords on a web-based email system that has no secondary authentication.
  • Searches through emails for payment requests to customers of XYZ Supply. Notices an invoice to ABC Corp for goods, with an additional request for goods to be invoiced in the near future.

The scam

The criminals email the supplier manager at ABC Corp using the most recent XYZ Supply email chain and request a change in payment instruction.

The email doesn’t raise an alert with the supplier manager, because it’s legitimately from the XYZ Supply email account.

The supplier manager updates the payment system with the new account information assuming the email request is legitimately from XYZ’s account representative.

ABC Corp receives the goods and makes a wire payment to the fraudulent account provided by the criminals.

The aftermath

The day after payment, the supplier manager at ABC Corp emails the account representative at XYZ Supply to notify them of the payment. The account representative responds that the wire wasn’t received.

The controller checks the outgoing wires report to confirm the wire. That’s when ABC Corp discovers the wire was sent to a fraudulent account. The controller at ABC Corp calls their bank to request a funds recall, but it’s too late. The funds are no longer available in the receiving account and can’t be recalled.

ABC Corp and XYZ Supply split the cost of the loss, and later implement additional controls around payment instruction changes including callback confirmation procedures. XYZ Supply also commits to implementing stronger security controls on their web-based email system, including multi-factor authentication.
 

Prevent these fictional BEC scenarios from becoming your reality

These scenarios depict situations that your organization can avoid by using stronger internal controls. In both of these BEC frauds, a phone call directly to the requestor using a verified number could have avoided the situation.

Stronger controls around email must also be part of any security strategy. Keep in mind that traditional email isn’t a trusted communication mechanism when dealing with critical activities such as money movement.

 

For more on how to protect your organization from BEC, check out these articles:

Contact U.S. Bank for help with your fraud prevention plan.

 

©2018 U.S. Bank.