If you’re an advisor who facilitates wire transfers on behalf of your clients, you may want to pay attention to a recent FBI public service announcement regarding what the Bureau calls a “sophisticated scam” that has been targeting businesses and individuals who perform wire transfer payments.
The FBI’s 1-050417-PSA, issued on July 12, concerns the Business E-mail Compromise (BEC)/ E-mail Account Compromise (EAC), or BCE/EAC, scam, under which a bad actor obtains legitimate business e-mail accounts to conduct “unauthorized transfers of funds.”
This scam is not new, but is increasingly costly to businesses. Using data from the FBI’s Internet Crime Complaint Center (IC3), the PSA warns that the scam “continues to grow and evolve,” targeting small, medium and large business and personal transactions. Using its own data and statistics from international law enforcement and financial institutions, IC3 found that between December 2016 and May 2018 there was a 136% increase in identified global exposed losses due to the scam, to $12.53 billion. (“Exposed losses” includes both actual and attempted dollar losses.)
Moreover, there have been 78,617 incidents of BCE/EAC reported by victims in 150 countries, with more than 41,000 U.S. victims in all 50 states accounting for nearly $3 billion. Fraudulent transfers have been sent to 115 countries.
Not surprisingly considering the large amount of dollars involved in the industry, the real estate sector has been heavily targeted in these BEC/EAC schemes, with victims including title companies, law firms, real estate agents, and home buyers and sellers.
According to the FBI, real estate victims most often tell of a spoofed e-mail being sent or received on behalf of one of these real estate transaction participants with instructions directing the recipient to change the payment type and/or payment location to mostly domestic fraudulent accounts, which the Bureau drolly reports are “often depleted rapidly” through cash or check withdrawals, “making recovery difficult.” From 2015 through 2017, there was a 1100% rise in the number of such real estate scams and a 2200% rise in the reported monetary loss.
Protecting Yourself and Your Firm
The FBI’s suggestions for protecting the parties in a real estate transaction from this type of fraud could be helpful for any party conducting a wire transfer.
The best defense, the Bureau says, is to verify all requests for a change in payment type and/or location. BEC/EAC actors “often request that payments originally scheduled for check dispersal be made via wire instead.”
Since the bad actors in BEC/EAC scams often use publicly available information to establish their bona fides, the FBI says all parties in a wire transfer should be “wary of any communication that is exclusively e-mail based,” and should also “establish a secondary means of communication for verification purposes.”
But just making a phone call to establish a party’s identification isn’t enough. The FBI also suggests that all parties in a wire transfer be “mindful of phone conversations,” since victims of the fraud report they have received phone calls from BEC/EAC actors requesting personal information for verification purposes, while “financial institutions report phone calls acknowledging a change in payment type and/or location.”
Since some victims report “they were unable to distinguish the fraudulent phone conversation from legitimate conversations,” the Bureau suggests another safeguard: “establish code phrases that would only be known to the two legitimate parties.”
As for how to respond to an instance of fraud, the FBI strongly suggests that victims file a complaint with its Internet Crime Complaint Center, IC3, which can help victims, financial institutions and law enforcement agencies with recovery efforts.
A Variant of the BCE/EAC
The PSA warns as well that BCE/EAC scams are not limited to wire transfer requests. A variant of the scam, it says, uses compromised legitimate business email accounts to request Personally Identifiable Information (PII) or W-2 forms for employees.
Reports of the growth of that variant scam were included in a February 2018 PSA by the FBI, citing a warning from the IRS’s Online Fraud Detection & Prevention (OFDP) office. The IRS described how the scheme works:
Cybercriminals use various spoofing techniques in attempts to contact an employee in the payroll or human resources departments, requesting a list of all employees and copies of their Form W-2. Such techniques include disguising an email to make it appear as if it is from an organization executive or even compromising the email account itself gain legitimacy. This scam is sometimes referred to as business email compromise (BEC) or business email spoofing (BES). They achieve this by spoofing the “From” field and adding a “Reply-To” address or using a free email service account for the email address and spoofing the sender name.