What is Business Email Compromise?

Overview of Updated Advisory on Email Compromise Fraud Schemes Targeting Vulnerable Business Processes – by FinCEN Advisory

Advisory for Attention of CEOs, COOs, CROs, Chief Compliance/BSA Officers, BSA/AML Analysts/Investigators, Information Technology staff, Cybersecurity Units, Fraud Prevention Units, Legal Departments.

In its 12-page review, the FinCEN Advisory breaks down the current rising trends in email compromise fraud.  By definition, Email Compromise Fraud includes criminal use of victim’s email accounts: (1) to send false payment instructions to financial institutions or business associates with the intent to steal funds or value; or second, (2) use criminal use of emails to assist in fraudulent transmission of data to commit financial fraud.  Updated modifications of email compromise include

  • Business Email Compromise (BEC), targets financial institutions or customer accounts that are operational entities, including commercial, non-profit, non-governmental, or government entities
  • Email Account Compromise (EAC), individually targets personal email accounts[1]

The “Updated Advisory on Email Compromise Fraud Schemes Targeting Vulnerable Business Process” was issued to discuss how over $9 billion in possible losses resulted from business email compromise schemes since 2016. 

In the original document, the BEC Advisory was disseminated to alert financial institutions to predominate trends in reported business email compromise fraud.  The key sectors, entities, and vulnerable business processes targeted were listed and the update info includes advisory on:

  • updated operational definitions for email compromise fraud
  • targeting of non-business entities and data by BEC schemes
  • general trends targeting sectors and jurisdictions
  • alerts financial institutions to risk associated with vulnerable business processes

The U.S. government and industry have engaged heavily to curtail the email compromise fraud but reported incidents have continued to rise.  The FBI reported over $12 billion in potential losses domestically and internationally from email compromise fraud. [2] 

Since that time the BEC Advisory has tracked almost $9 billion in attempted theft from fraud schemes affecting U.S. financial institutions and their customers.  These fraud schemes exemplify a “significant economic impact on the businesses, individuals, and even governments that are targeted. 

Financial institutions have collectively catalogued the nature and victims of email compromise schemes and provided info to FinCEN, which will be highlighted later.  Financial institutions play an important role in identifying, preventing, and reporting fraud schemes and by communication and collaboration with other institutions within the industry.

Updated Operational Definitions for Email compromise Fraud

Definitions of email compromise fraud were broadened to clarify that such fraud targets a variety of types of entities and may be used to misdirect any kind of payment of transmittal of other things of value.  Examples extend from wire transfers to now include “fraudulently inducing funds or value transfers through other methods of payment,” such as, “virtual currency payments, automated clearing house transfers and purchases of gift cards.”[3]  The following definitions should be added to refine AML/CFT frameworks to better detect and report suspected illegitimate finance activity, to include instances of email compromise fraud involving transactions. 

BEC Fraud & High Net Worth Individuals

The list of victims of BEC was extended include increasing attacks against individuals with high net worth, and entities that “routinely use email to make or arrange payments between partners, customers, or suppliers. 

BEC Fraud in Government

Growing numbers of government organizations have experienced cyber attacks on accounts used for pension funds, payroll accounts, and contracted services, losses impacting operations of government, government employees, citizens, and vendors.  Vendor impersonation is often used to present familiar-looking messages from a trusted party in a leadership position requesting the authorized counterparty to initiate or process a transaction.

BEC Fraud & Educational Institutions

Higher Educational institutions have the highest concentration of high yield of BEC fraud.  Transactions to include tuitions, endowments, grants, renovation, and construction costs are high-dollar exchanges targeted by BEC criminals. 

Compromised or spoofed emails are used to exploit business relationships between the academic institution and contracted service providers using falsified but authentic looking payment requests.  Large construction and renovation projects have repeatedly been the source of high-dollar thefts.

BEC Fraud in Financial Institutions

Spoofing bank domains and sending impersonated messages to mirror official communications between bank employees at what appears to be a legit institution (e.g., Society for Worldwide Interbank Financial Telecommunication department) SWIFT to the financial institution with payment instructions and reference numbers.

Top Sectors Targeted in BEC

BEC schemes commonly target (1) manufacturing and construction (25% reported cases), (2) commercial services (18%), and (3) real estate (16%). It appears BEC criminals are using more sophisticated methods to target these industries to increase the likelihood of success. 

Falsified “vendor and client invoices are generally affiliated with larger BEC transactions amounts”, even bigger than CEO fraud schemes, possibly because of the higher expected and previously recurrent transaction amounts to pay for goods and services.

It is particularly interesting that “vendor impersonation scams often involve foreign intermediary beneficiaries receiving the initial flow of illicit funds. BEC criminals are likely exploiting the common use of foreign vendors and attempting to reduce the likelihood of financial institutions and customers recognizing the suspicious nature of the transaction. “

BEC-related transactions that originate outside of the US has been designated by the FBI as China, Hong Kong, the UK, Mexico, and Turkey as prominent destinations of BEC-derived funds.

Vulnerable Business Processes Compromised

BEC criminals continue to increase sophistication of their methodologies to ensure increasingly higher yields to success.  Processes vulnerable to compromise through openly available information about targets or through cyber-enabled reconnaissance such as spear phishing or malware, allow criminals to insert themselves into an exchange as a key player within business relationships or the transactions thereof. 

Criminals become familiar with the victim’s habits and business processes, paired with weaknesses in the victim’s authorization and authentication protocols.[4]  These methods have proven “extremely effective” in developing falsified information used to send wires to accounts controlled by a BEC criminal.  Developing an awareness campaign to “understand the nature of these social engineering schemes and assessing and mitigating their business process vulnerabilities to compromise, financial institutions and their customers can reduce their susceptibility to BEC fraud.”[5]

BEC schemes and beneficiaries thereof, play roles in larger criminal networks and laundering efforts.  Under the USA Patriot Act 314 (b) safe harbor protections[6] financial organizations may share information regarding BEC fraud for identification, and when necessary reporting suspicious activities that may involve terrorist or money laundering activity.[7] 

Over 6,000 instances and over $2.6 billion in attempted and successful related with suspected money laundering activity through BEC schemes have been identified since November 2016.  Financial institutions have been encouraged to share valuable information about BEC beneficiaries and perpetrators to help protect other targeted institutions and their customers from facing similar devastating losses and to identify and curtail the financial crimes and trafficking of funds through broader criminal money laundering networks.

[1] Definitions of BEC and EAC from the 2016 BEC Advisory

[2] See FBI Alert I-071218-PSA, “Business E-mail Compromise the 12 Billion Dollar Scam,” July 12, 2018.

[3] 2016 BEC Advisory definition extended from wire transfers to virtual currency payments, automated clearing house transfers and the purchases of gift cards. 

[4] BEC perpetrators may leverage cyber-enabled reconnaissance efforts such as skillful social engineering or computer intrusions to gain sufficient knowledge of the organizations’ business processes.

[5] FIN-2019-A005, 2019 July 16. Updated Advisory on Email Compromise Fraud Schemes Targeting Vulnerable Business Processes.

[6] See Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 (“USA PATRIOT Act”) Publ. L. No. 107-56, §314(b); and 31 CFR § 103.110(b)(5).

[7] For FinCEN’s guidance clarifying that 314(b) participants may share information related to transactions, as well as the underlying specified unlawful activities, under the protection of the 314(b) safe harbor if the participant suspects that transactions may involve the proceeds of specified unlawful activities under money laundering statutes, see FinCEN Guidance FIN-2009-G002 “Guidance on the Scope of Permissible Information Sharing Covered by Section 314(b) Safe Harbor of the USA PATRIOT Act,” June 16, 2009.

Leave a Reply

Your email address will not be published.

You may use these <abbr title="HyperText Markup Language">HTML</abbr> tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>