Lately, RCM&D has seen a number of clients impacted by fraudulent e-mails requesting a wire transfer of funds. The FBI refers to this type of scam as “Business Email Compromise.” On a broader scale, it is referred to as “social engineering,” which is defined by Wikipedia as “psychological manipulation of people into performing actions or divulging confidential information.” Basically, the victims are tricked into voluntarily doing something that will ultimately hurt them.
How the Scam Works
There are many forms of social engineering scams, but the one we have seen with some frequency over the last six months involves email from an individual that the recipient knows. Typically, the company employee responsible for initiating wire transfers will receive an email from a superior, such as the CEO or CFO, requesting a wire transfer. The employee does not suspect a scam because the email is from someone he or she knows within the company who is usually in a position to be making such a request. Sometimes, the email address will look very similar to a legitimate one but is altered very slightly by changing a letter or number in the address (e.g., the “m” is missing from .com or abc@0123 is changed to abc@O123). The modifications are very subtle and easily mistaken for valid addresses. In other scams, the perpetrators have actually compromised a business executive’s email account and sent a bogus message to an employee from the executive’s real account. These are legitimate email addresses but the messages are fraudulent.
We have also had some clients fall victim to a similar scam, but the email has come from outside of the company, from a vendor or supplier with whom the business has had a long relationship. These emails will include an invoice that appears to be on the supplier’s letterhead. The email will ask that the payment for the invoice be paid to an alternate, fraudulent account that has not been used in the past, stating that there was a problem with the old account and it has been closed.
According to the FBI, once the wire transfer is completed, the criminals will transfer the funds into a global money laundering network. The Internet Crime Complaint Center reported that from October 2013 to December 2014, a total of $179.7 million was bilked from nearly 1,200 victims in the U.S. alone.
The FBI says that the fraudulent e-mail requests for the wire transfer appear legitimate and are generally well-worded and specific to the business being victimized. Prior to sending out the e-mail, the criminals behind the attacks often monitor their selected victims, allowing them to identify employees that have the access necessary to perform wire transfers. The fraudulent e-mails often coincide with business travel dates for executives whose e-mails have been hacked.
Crime Policy Coverage
Whether your crime policy has insurance coverage for the issue described depends on the policy language. Many policies will not provide coverage because of an exclusion for “voluntary surrender of funds.” Many insurance companies are evaluating how they plan to cover this emerging exposure. Several have recently introduced endorsements that will address these specific types of claims.
What You Can Do to Prevent Becoming a Victim
The Internet Crime Complaint Center suggests the following measures to protect your business:
- Use multifactor authentication to verify any payment request.
- Establish other communication channels, such as phone calls, to verify significant transactions.
- Always perform proper authentication and verification processes even if the vendor, client, supplier, or superior is asking for a “rush.”
- Do not open SPAM e-mail, click on links in the e-mail, or open attachments. These often contain malware that will give criminals access to your computer system and allow them to monitor your company for information as needed to perpetrate this scam.
- Avoid using the “reply” button when sending e-mail correspondence to an invoice request and instead use the “forward” option so you have to manually type in the valid e-mail address for your contact.
What to Do if You Have Been Victimized
- Report the matter to the local FBI field office or file a complaint online with the Internet Crime Complaint Center at www.IC3.gov.
- File a claim under your crime policy as soon as you become aware of the incident, as you may have coverage for the claim. There is a time limit for reporting a claim under a crime policy (usually 90 days from the date of discovery), so you should report it promptly.
If you want further information, contact James Gaughan, Risk Control Manager.