E-mail Compromise – Is Your Institution Vulnerable? Do You Know How to Report It?
On September 2016, the Financial Crimes Enforcement Network (FinCEN) updated its Suspicious Activity Report (SAR) Key Advisory Terms to add a new key term. FinCEN periodically issues these advisories to provide institutions with guidance on potential threats that may affect the U.S. financial banking system. The advisories also provide guidance to financial institutions on preparing SARs related to the covered activity. This article will discuss the details of the September 2016 advisory, including SAR preparation tips. The most recent advisory term addition, e-mail compromise, was the result of a recent spate of compromised personal and business e-mail accounts. According to the FBI, there have been approximately 22,000 reported cases involving $3.1 billion since 2013. These scams not only hit businesses and individuals but also financial institutions directly. The scams present themselves as follows: Business e-mail compromise (BEC) fraud, which means the cyber criminal is targeting a financial institution's commercial customers, and e-mail account compromise (EAC), which involves a victim's personal accounts.
According to FinCEN, the e-mail compromise schemes involve three phases. In phase one, the cyber criminal unlawfully accesses a victim's e-mail account through manipulating the victim to give up confidential identifying information or via computer intrusion. The criminal uses this information to gain access to the victim's financial institution, account details, and personal and professional contacts. In the second phase, the criminal uses the stolen information to e-mail fraudulent wire transfer instructions to the victim’s financial institution pretending to be the victim or a trusted employee of the victim. This ruse works because the criminal actually uses the victim’s e-mail account to give the appearance that the victim is the originator of the wire. For the final phase, based on the information provided by the victim or their employee, the financial institution is tricked into conducting wire transfers that appear legitimate but are in fact unauthorized.
Each key term is directly related to a FinCEN advisory detailing the background and use of the key term. FinCEN Advisory FIN-2016-A003 lists three illustrative BEC and three illustrative EAC scenarios. In the first BEC scenario, the cyber criminal impersonates a financial institution's commercial customer. The criminal hacks into and uses the e-mail account of a Company A employee to send fraudulent wire transfer instructions to Company A’s financial institution. Based on this request, Company A’s financial institution issues a wire transfer and sends funds to an account the criminal controls. In this scenario, the criminal impersonating the financial institution’s customer prompted the financial institution to execute an unauthorized wire transfer.
In the second BEC scenario, the cyber criminal impersonates a company executive. The criminal hacks into and uses the e-mail account of a Company B executive to send wire transfer instructions to a Company B employee who is responsible for processing and issuing payments. The employee, believing the executive’s e-mailed instructions are legitimate, orders Company B’s financial institution to execute the wire transfer. In this scenario, the criminal impersonating a company executive misled a company employee into unintentionally authorizing a fraudulent wire transfer to a criminal-controlled account. This scenario has happened to several financial institutions where the President was out on vacation or at a conference and the assistant to the President received a wire request from the President’s e-mail account requesting funds to be transferred to a named beneficiary on behalf of the institution.
In the final BEC scenario, a criminal impersonates one of Company C’s suppliers by e-mailing and informing Company C that future invoice payments should be sent to a new account number and location. Based on this fraudulent e-mailed information, Company C updates its supplier’s payment information on record and submits the new wire transfer instructions to its financial institution, which in turn directs payments to an account controlled by the criminal. In this scenario, the criminal impersonating a supplier provided fraudulent payment information to mislead a company employee into unintentionally directing wire transfers to a criminal-controlled account.
FinCEN also provides three EAC scenarios in its guidance. The first scenario includes lending and brokerage services. The cyber criminal hacks into and uses the e-mail account of a financial services professional (such as a broker or accountant) to e-mail fraudulent instructions, allegedly on behalf of a client, to the client’s institution or brokerage to wire transfer the client’s funds to an account controlled by the criminal. The second scenario involves real estate services. The criminal compromises the e-mail account of a realtor or of an individual purchasing or selling real estate for the purposes of altering payment instructions and diverting funds of a real estate transaction (such as sale proceeds, loan disbursements, or fees). Alternatively, a criminal hacks into and uses a realtor’s e-mail address to contact an escrow company instructing it to redirect commission proceeds to an account controlled by the criminal. The third scenario involves legal services. The criminal compromises an attorney’s e-mail account to access client information and related transactions. The criminal then e-mails fraudulent transaction payment instructions to the attorney’s financial institution. Alternatively, the criminal may compromise a client’s e-mail account to request wire transfers from trust and escrow accounts the client’s attorney manages.
The FinCEN advisory provides a list of red flags and guidance on how to authenticate a potentially fraudulent e-mail address. The danger of this type of cyber attack is that these transactions are often irrevocable, which renders financial institutions and their customers unable to cancel payment or recall the funds. Therefore, it is important for financial institutions to have procedures in place to identify potentially fraudulent transaction payment instructions before payments are issued.
About the only good news is that working with the FBI and the United States Secret Service, FinCEN has helped recover hundreds of millions of dollars. Their best success was when victims reported unauthorized wire transfers to law enforcement within 24 hours.
Related FinCEN guidance on SAR preparation states that a SAR must be filed for e-mail compromises if the transaction is attempted or completed and if the total amount of loss or potential loss meets the SAR filing thresholds. The thresholds are $5,000 if a subject is identified or $25,000 if no subject is identified. Keep in mind, if the funds transfer request lists a beneficiary, then there is a potential subject for purposes of meeting the $5,000 threshold. In addition, it is important that the SAR be completed using the term “e-mail compromise” and the related BEC or EAC acronyms be listed in SAR field 31(z) Other and in the beginning of the narrative. For example, “We are filing this SAR because of e-mail compromise against a business customer (BEC).” The narrative should also provide as much information as possible on IP addresses of the e-mail address, including related timestamps.
Financial institutions should take advantage of this helpful resource from FinCEN and use the six scenarios as training tools both internally and externally for employees and business accounts. Furthermore, by making sure the SAR preparers and reviewers are up to date on the key terms and use those key terms consistently in the body of the SAR and the narrative, it will allow law enforcement to track this activity and determine whether there are potential trends when matches in IP addresses or beneficiaries are identified.