Posted by Justin S. Cohen
Cyber criminals are targeting U.S. companies on a daily basis—many seeking to steal funds through fraudulent funds transfers. While the hackers’ methods are technically sophisticated, the plan is simple: a hacker takes control of a business email account, learns how the company moves money (such as through wire transfers), then sends an email to initiate a fraudulent transfer. Trend Micro reported that the average business email compromise (“BEC”) attack in 2016 cost the victim approximately $140,000. The FBI reported that BEC scams accounted for more than $12.5 billion in losses for U.S. companies in 2018, exceeding all expectations. We here at Thompson & Knight have seen an uptick in these attacks and their sophistication and have some suggestions on how companies can protect themselves.
The Problem: Business Email Compromise
Cyber criminals use BECs to steal from companies using fraudulent funds transfers, such as by changing direct deposit instructions, wire transfer instructions, or requesting business checks. A BEC begins with hackers gaining full control of a person’s email account so they can read that person’s emails, delete emails, re-direct emails using rules, and send emails as if they were that person. The hackers focus on the email accounts of C-suite executives, controllers, and those involved in funds transfers (e.g., direct deposit instructions, wire transfers, check writing). The identities of the right people can usually be deduced from a few LinkedIn searches. Hackers track out-of-office message and social media to determine when executives may be away from the office.
Once hackers gain control over a particular email account, they will study the company’s procedures and email traffic, sometimes for months. After learning about the company and how it handles wire transfer requests, they will begin their attack. Typically, they will write emails from the executive’s account requesting rush wire transfers to offshore accounts. Most are careful to make requests that will be acted upon quickly without raising too much suspicion (e.g., by crafting the email with a sense of urgency). These criminals often start small and then increase their activity and the wire transfer amounts until someone spots the theft. Some of these attacks can go on for months. Many target a one-month window to avoid detection.
We have also seen schemes where criminals impersonate suppliers or business partners and send new wire transfer instructions for upcoming payments. In other cases, criminals impersonate employees and send emails requesting changes to payroll direct-deposit instructions. Such criminals may also watch emails during the run-up to a merger or acquisition, then send fraudulent wire transfer instructions near the closing.
Compounding the problem is that when a BEC occurs, (1) the funds are rarely recoverable and (2) many crime and cyber insurance policies do not cover these sorts of losses.
The Solution: Be Aware and Implement Layered Security
Here are a few suggestions to protect your company from these threats:
- Update your funds transfer policies to ensure that there are non-email confirmations/multi-factor authentication to confirm wiring/payment instructions for certain incoming and outgoing funds transfers. This can be as simple as requiring a phone call or video chat between people who know one another. Include a plan for handling suspicious funds transfer instructions.
- Meet with your financial institutions to ensure everyone has a clear understanding of the protocols in place to handle wire transfers. If the protocol is simply “wire based on email instructions” the financial institution typically will claim no liability.
- Review cyber insurance policies to ensure that these types of criminal events are covered, including coverage for the stolen funds.
- Implement periodic cybersecurity training for executives and employees, especially those involved in funds transfers. Such training should include periodic test “phishing” emails from your IT department or a security vendor so people become accustomed to spotting suspicious emails.
- Use multi-factor authentication for email accounts, especially email accounts like Office 365 that are accessible via the Internet.
Guarding against wire transfer fraud through business email compromise requires a layered approach. Companies should also prepare for a possible incident and ensure that their cybersecurity policy covers not only the cost of responding to an incident, but also the stolen funds.