Background
“Business Email Compromise Scams” or “BEC scams” typically target companies that conduct wire transfers with entities abroad. For example, a fraudster may use an email address that is very similar to that of a business’s actual vendor to request payment for invoices, with payment to be wired to a bank account that the fraudster controls in another country. In this way, the fraudster fools an unwitting employee into assisting with a theft of funds that, after being sent, are very difficult to recover.
Over the years, there has been significant reporting about BEC scams that see funds wired to fraudsters’ accounts in Hong Kong or mainland China. But, we have seen a recent surge of BEC scams against businesses in mainland China or Hong Kong with funds being sent to the United States.
In the event of a BEC scam, decisive action is required as soon as the cyber fraud is detected. This guide describes what to do if you are victimised by a BEC scam with money being wired to the United States and how to help minimise the risk of falling victim to BEC scams to begin with.
How are the scams perpetrated?
Typically, wire fraud scammers research company employees who manage money and determine with whom a company does business. Often, scammers infiltrate a victim’s IT system through an email or internet-based Trojan horse or malware that allows them to view the victim’s email communications. This lets scammers observe payment requests from legitimate business partners and identify key personnel.
Armed with this information, fraudsters impersonate business partners, commonly sending emails that appear on their face to have originated with such partners. For example, fraudsters may use an email address that is identical to a legitimate email address, but for a small change, like an added hyphen. With such manipulated email addresses, scammers send what appears to be standard requests for payment, often in the form of authentic-looking invoices. Typically, these requests direct that a wire transfer be sent to a foreign bank account that the business partner has never used.
How to reduce the risk of falling victim to a BEC wire fraud scam
To detect potential BEC wire fraud scams, it is necessary to look holistically at any requested wire transfer details, how and when the request was submitted, and the relationship between the originator and beneficiary. The following specific indicators in emails should raise a red flag:
- a request to transfer amounts that are unusual (higher or lower) for a particular business;
- a request to transfer funds to beneficiaries that are unknown or outside of a business partner’s typical area of operation. For example, a first-time request for a wire transfer to be sent to a bank account in the United States warrants closer inspection;
- changes in established payment practices such as frequency and timing; and
- email-only wire transfer requests, particularly requests asking for urgent action.
More broadly, the following general practices will help reduce the risk of being victimised by a BEC wire fraud scam:
- increasing awareness within an organisation of the existence of BEC scams;
- verifying payment instructions in person or by telephone to a known or independently verified telephone number – not to a number provided in an email request for payment;
- carefully reviewing email addresses to detect spoofed/mimicked email addresses;
- employing multi-level authentication; and
- implementing technology solutions to identify suspicious emails by, for example, scanning hardware for any spyware, malware, Trojan horses, etc., and establishing a program to warn if the name on an incoming email does not exactly match an existing contact.
What to do if you have been defrauded by a BEC scam
Scammers typically withdraw funds immediately after those funds hit a scammer-controlled account, including by sending funds to yet another account or converting them to cryptocurrency. Obviously, this makes recovery quite difficult. Therefore, as soon as you become aware that you have been victimised by a BEC scam, you should immediately:
- contact your bank and request that it communicate with the financial institution to which the fraudulent transfer was sent in the United States to seek an immediate hold or reversal of the transfer; and
- retain an experienced wire fraud lawyer in the United States to liaise with the U.S.-based recipient bank and with U.S. law enforcement, and potentially to file an emergency civil proceeding to freeze the recipient account.
Insurance protection
It is also worth checking your insurance policies to see whether you are insured against fraud, theft or dishonesty. Many policies preclude coverage if the funds are transferred voluntarily (even if through deception). However, recently, insurers have developed a product that would address BEC scams. The coverage is known as Social Engineering coverage, which must be added by endorsement to a stand-alone policy. Limits tend to be low, with high deductibles and numerous protocols in place in order for insurers to agree to provide coverage.