Ransomware gangs targeting businesses are currently getting more public attention, but scammers trying to trick employees into performing fraudulent wire transfers are once again ramping up their efforts, US-headquartered law firm BakerHostetler has warned.
BEC scams and fraudulent wire transfers
The same tactics have been employed by BEC scammers for years, but businesses of all sizes continue to fall for them.
The scam is usually discovered when the accounting department of a company starts seeing an increase in accounts receivable for one or more customers, then follows up on the outstanding invoices.
The customer reports that they have already paid the invoices and provides proof of the wire transfer, but the document shows that the money transfer was made to the worn bank account. The customer says they’ve followed the accounting department’s instructions, after receiving an email with “new” wire instructions from them.
“The email, of course, is not from the accounting department but from a fraudster,” the lawyers explained.
“Sometimes the bad actor compromised an accounting department employee’s email account to find customers, steal invoices and gain an understanding of the cadence and manner of billing emails. Sometimes the bad actor compromised the customer’s email account for the same purpose and then used an email that looked enough like the vendor’s accounting department email address to trick the customer. But whatever the method of access and communication, the two entities share the same outcome: Money has been paid to bad actors, and it is highly unlikely that it will be recouped, even with law enforcement intervention.”
The worst thing about these schemes is that they are easily thwarted by setting up certain policies and low-cost technical measures.
For example: companies should consider enabling multi-factor authentication for web-based email access so that scammer can’t exploit phished credentials to take over business email accounts.
Blocking access to company email accounts from internet provider addresses that resolve to countries where the company does not have employees is also a good idea, and so is setting up alerts that are triggered when the email account is accessed from two locations within a time span that would not allow for travel between the two locations, the lawyers advise.
On the other hand, scammers may choose not to compromise legitimate business email accounts but set up rogue ones that are made to look like they are owned by the business.
Employees who deal with payments should be taught about the danger presented by these emails, instructed on how to spot red flags, and regularly reminded to always verify all requests to change bank account information by calling a known telephone number for that customer, vendor or business partner (definitely not a phone number included in the email!).
Finally, a business might be wise to these tricks, but it costs them nothing to raise awareness and educate customers and business partners by sending an email delineating all this information and good advice.
You’ve been scammed, now what?
Recouping the fraudulently transferred funds once an employee falls for the scam might end up to be a challenging endeavor.
The sooner the company discovers the incident, the better for your chances of getting back the money. You have to notify your bank immediately and report the incident to law enforcement.
If you’re in the US and the fraudulent wire transfer has been made to a domestic bank account, the FBI’s Internet Crime Complaint Center (IC3)’s Recovery Asset Team might be able to get it back for you. “During its inaugural year, the team assisted in the recovery of over $300 million lost through on-line scams, boasting a 79% return rate of reported losses,” the FBI boasted earlier this year.
It’s also important to find out whose email account was compromised by the scammers.
Not only is this important to decide who will “eat” the loss if the money can’t be recovered, but also because companies whose email account(s) have been compromised might have more to lose than just money: the scammers might have accessed personal and business information residing in the account and might use it to perpetrate additional fraud.
Also, the lawyers noted, “the business whose email was compromised may have additional legal obligations based on state or federal data breach notification laws or contractual clauses with other business partners.”