Fraudulent Emails and Wire Transfers – Beware!

Lately, RCM&D has seen a number of clients impacted by fraudulent e-mails requesting a wire transfer of funds.  The FBI refers to this type of scam as “Business Email Compromise.”  On a broader scale, it is referred to as “social engineering,” which is defined by Wikipedia as “psychological manipulation of people into performing actions or divulging confidential information.” Basically, the victims are tricked into voluntarily doing something that will ultimately hurt them.

How the Scam Works

There are many forms of social engineering scams, but the one we have seen with some frequency over the last six months involves email from an individual that the recipient knows.  Typically, the company employee responsible for initiating wire transfers will receive an email from a superior, such as the CEO or CFO, requesting a wire transfer.  The employee does not suspect a scam because the email is from someone he or she knows within the company who is usually in a position to be making such a request.  Sometimes, the email address will look very similar to a legitimate one but is altered very slightly by changing a letter or number in the address (e.g., the “m” is missing from .com or abc@0123 is changed to abc@O123).  The modifications are very subtle and easily mistaken for valid addresses. In other scams, the perpetrators have actually compromised a business executive’s email account and sent a bogus message to an employee from the executive’s real account.  These are legitimate email addresses but the messages are fraudulent.

We have also had some clients fall victim to a similar scam, but the email has come from outside of the company, from a vendor or supplier with whom the business has had a long relationship.  These emails will include an invoice that appears to be on the supplier’s letterhead.  The email will ask that the payment for the invoice be paid to an alternate, fraudulent account that has not been used in the past, stating that there was a problem with the old account and it has been closed.

According to the FBI, once the wire transfer is completed, the criminals will transfer the funds into a global money laundering network.  The Internet Crime Complaint Center reported that from October 2013 to December 2014, a total of $179.7 million was bilked from nearly 1,200 victims in the U.S. alone.

The FBI says that the fraudulent e-mail requests for the wire transfer appear legitimate and are generally well-worded and specific to the business being victimized.  Prior to sending out the e-mail, the criminals behind the attacks often monitor their selected victims, allowing them to identify employees that have the access necessary to perform wire transfers.  The fraudulent e-mails often coincide with business travel dates for executives whose e-mails have been hacked.

Crime Policy Coverage

Whether your crime policy has insurance coverage for the issue described depends on the policy language.  Many policies will not provide coverage because of an exclusion for “voluntary surrender of funds.”  Many insurance companies are evaluating how they plan to cover this emerging exposure.  Several have recently introduced endorsements that will address these specific types of claims.

What You Can Do to Prevent Becoming a Victim

The Internet Crime Complaint Center suggests the following measures to protect your business:

What to Do if You Have Been Victimized

If you want further information, contact James Gaughan, Risk Control Manager.