14 Apr 2016

Business Email Compromise (BEC) – Industry Examples

road-sign-464641_1280-520x245
Share:

Imposter emails targeting businesses today are far more sophisticated than traditional phishing emails or the “Nigerian prince” emails of yesteryear. These new Business Email Compromise (BEC) attacks use imposter emails that reflect a deep understanding of people’s roles and messaging patterns within a target organization.

Here’s how BEC attacks often play out for several reference industries:

Law Firms and their Clients

An email purporting to have been sent from the litigation law partner is sent to the law partner’s client, using information commonly found in litigation filings, requesting the client to add funds for additional expert costs. The client replies to the email. The reply email is siphoned off and invisibly routes to the Internet criminal. The Internet criminal, again posing as the law partner, replies with details and wire instructions; as well as an expression of urgency and importance to the case. The client forwards the email containing the wire instructions to their accounting department with a note to urgently fund the litigation expense. Sometimes the Internet criminal targets the accounting staff directly. The client funds route to the imposter bank account. If the financial crime is even detected later, when invoices and fees are being reconciled, it is too late. Funds have been diverted to foreign bank accounts, lost forever.

Insurance Agents, Brokers and their Clients

An email purporting to have been sent from the insurance agent or broker staff is sent to the agent/broker’s client, using information about common insurance policies that are about to expire if not immediately renewed, such as directors and officers liability insurance. Sometimes details of the insurance policies are inserted which can be identified in litigation court filings which are public. The email requests that the client immediately pay a portion of the policy renewal to avoid a lapse in coverage. The client replies to the email. The reply email is siphoned off and invisibly routes to the Internet criminal. The Internet criminal, again posing as the insurance company staff member, replies with details and wire instructions; as well as an expression of urgency and importance to avoid the coverage lapse. The client forwards the email containing the wire instructions to their accounting department with a note to urgently fund the insurance renewal expense. Sometimes the Internet criminal targets the accounting staff directly. The client funds route to the imposter bank account. If the financial crime is even detected later, when invoices and fees are being reconciled, it is too late. Funds have been diverted to foreign bank accounts, lost forever.

Home Buyers, Realtors, Escrow Agents, and Title Insurance Companies

An email purporting to have been sent from the seller’s real estate agent is sent to the buyer’s agent, using information about a soft offer that has come in and that if the transaction does not now close, the home buyer may lose the deal. Sometimes details of the actual transaction are inserted which can be identified in public filings and through online listing service back-end paid access. The email requests that the buyer’s agent immediately arrange to have paid a portion of the down payment to lock in the deal. The buyer’s agent replies to the email. The reply email is siphoned off and invisibly routes to the Internet criminal. The Internet criminal, again posing as the seller’s agent or staff member, replies with details and wire instructions; as well as an expression of urgency and importance to avoid losing the deal. The buyer’s agent forwards the email containing the wire instructions to the buyer with a note to urgently fund the portion of the down payment. Sometimes the Internet criminal targets the escrow agent, title insurance company, or home buyer directly. The client funds route to the imposter bank account. The financial crime is often detected 3-4 days later, after the home buyer is asked to send funds for a legitimate closing. At this point, it is too late. Funds have been diverted to foreign bank accounts, lost forever.

Business Finance and Human Resources Staff

An email purporting to have been sent from one of the company’s senior management is sent to someone in the finance department, using information about an invoice that needs to be urgently paid to avoid being cut off by a supplier. Sometimes details of the actual transaction are inserted using general purpose identifiers such as “technology expense” or “due diligence expense”. The email requests that the back-office staff immediately arrange to have paid the invoice amount. The back-office staff member replies to the email. The reply email is siphoned off and invisibly routes to the Internet criminal. The Internet criminal, again posing as the senior business executive, replies with details and wire instructions; as well as an expression of urgency and importance to avoid a business disruption. The staff funds by wire or sends a company check. Funds route to the imposter bank account. The financial crime is often not detected until months later during an audit or reconciliation, if ever. Funds have been diverted to foreign bank accounts, lost forever.

Registered Investment Advisors (RIAs)

An email purporting to have been sent from a client arrives in the inbox of an investment advisor. The email requests that funds be wired immediately to the client due to an emergency of some sort. The RIA may reply to the email to gain confirmation and that message is then siphoned off and invisibly routed to the Internet criminal. The Internet criminal, again posing as the client, replies and includes wiring instructions along with personal information including family details and the nature of his assets, attempting to prove his identity. Much of this information can be found using social media accounts. If an investment advisor or a staff member wires the funds, they will be diverted to a foreign bank account and lost forever.

 

Share: