Don't Fall Victim to the Business E-mail Compromise Scam

July 23, 2018

West African organized-crime rings have been targeting U.S. business with "business e-mail compromise" scams that are costing firms millions of dollars every year.


Losses to businesses that are targeted by these scams hit an all-time high in the first quarter of 2018, with $685 million in losses reported by 4,081 victims. That's more than the amount lost for all of 2017 in such scams: $675 million.


The gangs send fake messages to businesses' finance departments purporting to be a vendor for the company with an invoice requiring payment.


These criminals do research before targeting companies, meaning they go to company websites and look for the right people to send e-mails to. They may even pull annual reports and find what companies they do business with, and then spoof those accounts (meaning they impersonate other firms in the e-mails).


Some criminals will fake a CEO's e-mail account and e-mail that company's finance office ordering payment to a certain account. In one case cited by Dow Jones Newswires, a real estate attorney received an e-mail from the purported sellers of a local property and asking the lawyer to wire the proceeds of the sale to the criminals' bank account. The lawyer wired $246,218.83 to the scammers.



The main scams


Money request via compromised account of company exec

  1. A criminal compromises or spoofs the e-mail account of an executive, such as the CEO.
  2. The criminal sends a request for a wire transfer from the compromised account to an employee who is responsible for processing these requests and is subordinate to the executive, such as the controller.
  3. The controller submits a wire payment request, as per instructions from his or her "boss."

Invoice from supplier via spoofed e-mail address

A fraudster compromises the e-mail of a business user employed by their target company; for example, someone in accounts payable. This is how it's done:

  1. The criminal monitors e-mail of the business user, looking for vendor invoices.
  2. The criminal finds a legitimate invoice and modifies the beneficiary information, such as changing the routing number and account number to which payment is to be sent.
  3. The scammer then spoofs the vendor's e-mail to submit the modified invoice.
  4. Accounts payable, recognizing the vendor name and services provided, processes the invoice and submits a wire request for payment.

How to avoid getting burned

  • Confirm an e-mailed monetary request purportedly from a company executive by creating a new e-mail and entering their known e-mail address; don't reply to the suspicious e-mail as it will likely go to the criminal.
  • The e-mails typically have a similar tone, urging secrecy and expedience. Set up your e-mail gateway to flag key words such as "payment," "urgent," "sensitive" or "secret."
  • Look for odd uses of the English language. Many of the scammers are foreigners abroad.
  • Although the late-stage e-mails used in these scams may not contain malware, malicious code is often used as part of an overall scheme to initially compromise an employee's e-mail account. So, make sure you have an effective malware detection solution in place.
  • Register all domains that are slightly different from the actual company domain.
  • Scrutinize all e-mail requests for transfer of funds to determine if the requests are out of the ordinary.
  • Ask your accounts payable staff to get to know the habits of your customers, including the details of, reasons behind, and amount of payments.


Click here to return to Amity Insurance Blog