Financial institutions should be aware of a growing number of e-mail compromise schemes, the Financial Crimes Enforcement Network (FinCEN) warned in a new advisory bulletin.
What happened
Developed in coordination with the Federal Bureau of Investigation (FBI) and the U.S. Secret Service, FIN-2016-A003 puts banks on notice that criminals are misappropriating funds by compromising the e-mail accounts of victims to send fraudulent wire transfer instructions to financial institutions.
A growing trend—there have been approximately 22,000 reported cases involving $3.1 billion since 2013—the scams appear in two forms: business e-mail compromise (BEC) fraud, targeting a financial institution's commercial customers, and e-mail account compromise (EAC), which involves a victim's personal accounts.
The e-mail compromise schemes involve three stages, FinCEN explained. First, criminals unlawfully access a victim's e-mail account through social engineering or computer intrusion, gaining access to information about the victim's financial institutions, account details, and contacts. In the second stage, the criminals use the stolen information to e-mail fraudulent wire transfer instructions to the financial institution in a manner that appears to be from the victim.
Criminals will use either the victim's actual e-mail account or create a fake e-mail account resembling the victim's e-mail, the advisory said. For the final stage, criminals trick the victim's employee or financial institution into conducting wire transfers that appear legitimate but are in fact unauthorized. Banks in Hong Kong and China are common destinations for fraudulent transactions, FinCEN added.
The advisory provided three examples of common BEC and EAC schemes. In the BEC illustrations, a criminal impersonates a financial institution's commercial customer, asking the bank to pay $200,000 for business activity to an account in Hong Kong, or the criminal impersonates a company executive, instructing an employee to effectuate a transfer. Scams have also involved criminals pretending to be a supplier, providing fraudulent payment information to mislead a company employee into unintentionally directing wire transfers to a criminal-controlled account.
As for EAC schemes, "[i]ndividuals who conduct large transactions through financial institutions, lending entities, real estate companies, and law firms are the most likely targets," FinCEN cautioned. Common scenarios include criminals who impersonate lending or brokerage services to transfer money ostensibly on behalf of a client or impersonate attorneys to tap into client funds.
How to combat the scams? "Success in detecting and stopping BEC and EAC schemes requires careful review and verification of customers' transaction instructions and consideration of the circumstances surrounding such instructions," the advisory said.
FinCEN offered red flags for BEC and EAC fraud, emphasizing that no single transactional red flag necessarily indicates suspicious activities and that financial institutions should also perform additional inquiries and investigations where appropriate. Red flags include seemingly legitimate e-mails that "contain different language, timing, and amounts" than previously verified, messages from a familiar source with a slightly altered e-mail address (such as an underscore instead of a dash, or a single letter transposed), and wire transfer instructions to a foreign bank account that has been documented as the destination of fraudulent transactions.
Also problematic: e-mailed transaction instructions that feature markings, assertions, or language designating the transaction request as "Urgent," "Secret," or "Confidential," as well as instructions "that would give the financial institution limited time or opportunity to confirm the authenticity of the requested transaction," according to the advisory.
FIN-2016-A003 also encouraged financial institutions to report BEC and EAC fraud, even where attempts are unsuccessful. Although transactions are often irrevocable, victims or financial institutions that report unauthorized wire transfers to law enforcement within 24 hours have greater success at recovery, in part due to FinCEN's partnership with the FBI and Secret Service.
In addition, financial institutions may have an obligation to report a scam. "With respect to e-mail-compromise fraud, a financial institution may have a [Suspicious Activity Report] filing obligation regardless of whether the scheme or involved transactions were successful, and regardless of whether the financial institution or its customers incurred an actual loss," FinCEN said.
To read FIN-2016-A003, click here.
Why it matters
Financial institutions would be well served to use extra caution when handling e-mail requests for wire transfers. FinCEN urged banks to consider all the surrounding facts and circumstances in conjunction with the red flags described in the advisory, and perform additional inquiries and investigations where appropriate. "Financial institutions can play an important role in identifying, preventing, and reporting fraud schemes by promoting greater communication and collaboration among their internal anti-money laundering, business, fraud prevention, and cybersecurity units," the advisory stated. Financial institutions should identify customers more likely to be the targets of such email scams and consider educational outreach programs to build their working relationships with those customers.