International criminals are targeting staff of SMEs and multinational companies with money transfer authority in what the US Federal Bureau of Investigation are calling the “Business Email Compromise” (BEC) scam.
Imagine you are a member of a finance team in a Hong Kong company. You receive an email from a contact in the accounts receivable department of one of your suppliers. The email contains an invoice for a shipment of goods recently received and requests that payment be made to a new bank account not previously used for such transfers. You reply to the email asking for details regarding the account switch and receive a further email explaining that the supplier is re-organising its business and banking setup and needs the transfer as soon as possible to facilitate this process. What would you do?
Or imagine you receive an email from your CEO or Executive Director requesting that an urgent payment be made to facilitate a highly confidential transaction with a prospective overseas business partner. The CEO is out of town in a different time zone and not immediately available to discuss the payment, but it’s a relatively modest sum and you are worried that not making the payment could jeopardise the transaction. What would you do?
An increasing number of finance team members are making these transfers. The BEC scam takes advantage of the use of email (or instant messaging and texts) to authorise and conduct business transactions. Once the fraudulently induced transfers are made, the transferred money can be very difficult to recover.
A Disturbing Trend
Companies around the world are being victimised. The FBI says that it handled 2,126 cases of the BEC scam last year, with losses totaling US$215 million. The Hong Kong Police Force have indicated anecdotally that they are swamped with literally hundreds of these kinds of cases, which it classifies as “technology crime”. Since 2010, there has been a 300% increase in the numbers of technology crime cases reported in Hong Kong, and a 1,900% increase in losses suffered with 80% of these losses resulting from BEC or similar scams. Further, cyber security incidents, which often go hand-in-hand with the BEC scam, doubled from 2013 to 2014.
These disturbing trends are likely the reason that in early 2015 the Technology Crime Division of the HKPF was elevated to bureau status and renamed the Cyber Security and Technology Crime Bureau.
Anatomy of A Scam
The BEC scam is simple and repeated with cookie-cutter precision in most of the cases we have seen. The elements of the scam are as follows:
- Surveillance: The fraudster surveys the target company to gather as much information as possible to make the transfer request appear legitimate. Information gathered includes the company’s key personnel, business partners, common transactions, payment processes and normal payment cycles. A surprising amount of this information can be obtained from publically accessible sources, however, the FBI suspects that much of it is obtained by fraudsters infiltrating the company’s cyber security defenses. This often gives the fraudster access to emails, appointment calendars, business records and other information which make it easier to tailor a fraudulent transfer request which both appears legitimate and which often arrives at a time when key management are not available to confirm or authorise the transaction.
- Fraudulent email: Next, the fraudster sends an email to a member of the victim company’s finance team requesting the fraudulent transfer. The email is sent from an address that is very similar to the actual address of a contact at a supplier or of a senior company executive, though it may even come from that person’s actual account if they have been hacked. The email is tailored to appear authentic by invoking inside information, and adopting the writing tone and mannerisms of the sender being impersonated. The emails are sent at a time when they would be expected to be received and also tend to coincide with periods of unavailability of senior management within the company who could verify or authorize the transfer.The emails request that relatively modest transfers, usually under US$1 million, be made to an overseas bank account and often attach authentic looking invoices.
- Pressure: The fraudster then sends follow up emails to the targeted employee to pressure him or her into making the transfer, often without following the normal payment protocols. These emails play on the employee’s fear of making a mistake or harming a key business relationship. Once the fraudster has someone’s attention, the emails will come fast and thick.
- Receipt and onward transfer:Once the money is transferred to the fraudster’s bank account it is then very quickly transferred through a number of additional bank accounts to frustrate any attempts to freeze or trace the funds. These accounts may belong to innocent “money mules” who are tricked into setting up the accounts and giving the Internet banking passwords, etc., to the fraudster. This allows the fraudster to transfer the money from account to account without ever having to enter the jurisdiction and risk criminal prosecution. Once the money is onward transferred out of the recipient account, it is very difficult to trace and recover.
- Further requests: Once the fraudster has successfully lured the finance department into making a transfer, he will then often make requests for additional transfers. This is particularly problematic in the case of supplier payment redirection because often the scam is not identified until much later when the supplier comes asking for payment of its unpaid invoices. The anonymity the Internet can provide and the difficulty in prosecuting criminals in many foreign jurisdictions emboldens the fraudster to return to the scene of the crime again and again.
How to Respond If You’ve Been Scammed
The key to recovering scammed money is to catch the funds before they have been transferred onward from the recipient account. The victim company should immediately notify the remitting and receiving banks of the scam and put them on notice that they are dealing with the proceeds of crime and risk committing the offence of money laundering if they execute any further transfers of the money. Bringing legal counsel into the picture as soon as possible will maximize the chance of freezing the money.
The victim should also make an in-person report with local law enforcement agencies as soon as possible, particularly in the receiving jurisdiction. The police often have powers to order banks to freeze suspected proceeds of crime, without the victim needing to go through the expense and delay of obtaining a court order. The police can also take further steps to investigate the crime, but in our experience these investigations very rarely lead to the recovery of the funds.
Companies, if they are publicly listed or highly regulated, should also consider whether they have any notification obligations in relation to the scam, including notifying their insurers.
Preventing Being Victimized
It may only be a matter of time before your company is targeted by this scam. The following steps can be taken to avoid being victimized:
- Staff Training: Finance team staff, particular those responsible for outbound payments, should be trained to strictly adhere to formal payment procedures and to recognize the hallmarks of the BEC scam, including requests to switch payee accounts and requests to make “confidential” transfers. Staff should also be trained how to respond quickly once they discover they have been scammed.
- Management accountability: Payment protocols apply to senior management as well. If a CEO is in the habit of sending payment instructions by email, or otherwise departing from normal payment procedures, they are putting the company at increased risk of being victimized by the BEC scam.
- Verify: Finance staff should always scrutinize the email address of any message requesting outbound transfers, particularly where the emails shows the hallmarks of the BEC scam. Fraudulent emails are often sent from email addresses quite similar to the address of the person being impersonated, but the brain very easily misses these tiny differences. If money is asked to be paid into a new account, finance staff should make a telephone call to the payee to confirm instructions. Do not trust inward bound calls as fraudsters have been known to call victim companies impersonating payee companies.
- Cyber security: As the FBI suspects that many of these frauds are preceded by the fraudsters hacking into either staff email accounts or the company’s broader IT system, companies should take steps to improve their overall cyber security, including training staff to recognize and avoid opening phishing emails.
- Have a plan: Companies should implement a response plan to quickly and effectively freeze transferred money once a BEC scam has been discovered. The plan should set out what steps should be taken and, importantly, who is empowered to take them. The first minutes after discovery are vital and preparation can prevent the confusion, fear and paralysis that often slows down an effective response. Business partners: The BEC scam can cause great stress to business relationships. Once the money is stolen, someone will have to absorb the loss. And the situation gets even stickier where one party is defrauded on account of its counterparty having been hacked. Companies should consider addressing the risk of BEC fraud with its various business partners, even by including language in commercial agreements on how to handle the fallout from such scams.
Business Email Compromise is a global fraud trend that threatens all Hong Kong companies. Company management should take steps to address the risk and a good first step is to pass this article to your finance team. For more information, please contact the authors of this article.
This article was initially published in 21st Century Director, official magazine of HKIoD (The Hong Kong Institute of Directors). The link to the article can be found on http://www.hkiod.com/21century.html and the pdf on http://www.hkiod.com/document/21century/issue_17/17th_Issue_risk_mgt.pdf