Articles & E-Books


You’ve Got (Suspicious) Mail: Email Compromise Fraud

Oct 29, 2017

The imminent threat posed by cyber attacks is constantly changing and always seems to be top of mind at each institution we visit. One aspect of this threat is how email compromise fraud has evolved over time, becoming more sophisticated and a larger risk to its victims. The Financial Crimes Enforcement Network (FinCEN) announced that from 2013 through June 2016 there had been approximately 22,000 reported cases that totaled $3.1 billion. Email compromise fraud has been reported in all 50 states and in 131 countries according to the statistics released by the FBI. Financial institutions should all be aware of the red flags indicating a possible fraudulent attempt and implement preventative measures to protect themselves and their customers or members.

What Is Email Compromise Fraud?
Email compromise fraud is a general term to describe the various schemes criminals employ to compromise a victim’s email account in order to complete fraudulent transactions to misappropriate funds, most often in the form of a wire transfer. There are two main types of email compromise fraud: business email compromise (BEC) and email account compromise (EAC). BEC occurs when a cyber criminal targets the commercial customers or members of a financial institution, and EAC occurs when the victim’s personal account is the target. Victims are small businesses, large corporations, and persons of all ages. 

FinCEN has broken down how email compromise fraud works by outlining three stages. In stage one, the criminal accesses the victim's email account through manipulating the victim to give up confidential identifying information or via computer intrusion or social engineering. After a cyber criminal monitors the victim, they use what is called “grooming” to obtain information through spear phishing emails or phone calls to the victim. Due to the monitoring that had previously been completed, the criminals are able to accurately state information so they appear to have a legitimate need to access otherwise confidential information. The criminal will then use this information to gain access to the victim's financial institution, account details, and contacts. Stage two involves the criminal making use of the stolen information to email fraudulent instructions to the victim’s financial institution by pretending to be the victim or an authorized contact of the victim. Stage two consists of using either the victim’s email or a fake email account that appears legitimate at first glance. In the last stage, a transfer that appears as normal business activity is conducted by the financial institution or employee that has been deceived. This may take the form of the institution sending a wire transfer under the assumption the customer or member authorized the transfer or the form of an employee being deceived by the criminal impersonating a supplier. To finalize the fraud, the unauthorized transfer is directed to the criminal’s account. The most common destinations for these fraudulent transactions are banks is Asia.  

Suspicious Activity Reporting (SAR)
Where email compromise fraud has been identified, institutions should open a suspicious activity report investigation to determine whether or not the filing of a SAR is necessary. When the minimum reporting requirements for a SAR are met or where the investigation determines a SAR is necessary due to factors such as illegal activity or an attempt to evade a regulatory requirement, FinCEN offers guidance on completing the SAR form and narrative so that email compromise fraud trends are able to be identified by law enforcement. Specifically, institutions should ensure that the terms “email compromise fraud,” “BEC fraud,” or “EAC fraud” are used in the narrative as applicable. In addition, ensure that in Part II Suspicious Activity Information, Item 37(z) (Fraud-Other) is checked. When completing the narrative, ensure that the wire transfer details are included, along with information about the scheme itself.

Red Flags and Preventative Measures
What makes email compromise fraud so much harder to detect is that unlike many account takeover attempts, the criminals impersonate the victims surprisingly well and attempt to submit transactions that appear authentic. The fraud works so well because the criminals often use the victim’s email and try to adopt their mannerisms to give a strong appearance that the victim is the true originator of the transfer request. It is the plausibility of the fraud that necessitates application of measures to identify red flags and prevent the fraud.

The following red flags do not represent an exhaustive list, and institutions are reminded of the importance of considering their products, services, and account base when informing staff of red flags to review for:

  • Emails that include language such as “urgent,” “secret,” or “confidential”
  • Email instructions arriving at different times of the day than normally received from that customer or member or in amounts that are not in line with historic activity
  • Instructions arriving that give the institution a limited amount of time or ability to confirm the authenticity
  • Subsequent wire request immediately following the first successful request
  • Wire instructions identifying vendors not previously used by the customer or member
  • Wire instructions identifying a known beneficiary name but a different account number
  • Slight variations to the customer’s or member’s email address

Preventative measures are important because institutions have needed to absorb the losses of the customers or members who were victimized by fraud. The most effective preventive measures financial institutions can take are implementing the know-your-customer due diligence procedures and multi-faceted transaction verification for wire transfer requests. Training of staff to identify various fraud schemes and to know internal procedures to make the Bank Secrecy Act officer aware of attempts, successful and not, is another preventative measure recommended. Procedures such as these to identify possible fraud before the transfer has taken place are important because once the transfer has been approved, it will likely remain irreversible.

Cyber criminals pose an ever-present danger to the financial system and to individual financial institutions, no matter the size. As attempts to illegally access a victim’s funds become more refined, such as email compromise, financial institutions need to be aware of how these schemes work. Through identification, prevention, and sharing applicable information with the government, all financial institutions work to protect their own customers or members and lessen their liability.

FinCEN, the FBI, and the U.S. Secret Service have partnered together to assist financial institutions in recovering stolen funds. If your institution suspects it or its customers or members have been a victim, a complaint can be filed with one or all of the agencies.


Nick Bonnema, JD, CRCM
View Profile