On July 16, 2019, the U.S. Treasury Department’s Financial Crimes Enforcement Network (“FinCEN”) issued an “Updated Advisory on Email Compromise Fraud Schemes Targeting Vulnerable Business Processes” (the “Advisory”). The Advisory provides a detailed and helpful overview of trends in Business Email Compromise (“BEC”) schemes affecting U.S. financial institutions and other businesses.
Business are typically victimized by one of two variants of fraudulent BEC schemes, which involve spoofed or compromised electronic communications. In some of these schemes, perpetrators purporting to be company executives use spoofed email addresses and direct the companies’ finance personnel to make large wire transfers to third party bank accounts. In other instances, perpetrators impersonate the victims’ vendors and request that the victim companies initiate changes to the vendors’ banking information and then make large wire transfers to the new bank accounts.
According to the Advisory, criminals have increasingly exploited vulnerable business processes with BEC schemes – with losses to U.S. financial institutions and their customers from such schemes totaling over $9 billion since 2016. Not surprisingly, reports to FinCEN of BEC schemes have risen significantly in the past few years. In 2016, FinCEN averaged approximately 500 such reports per month; however, by 2018, that figure had more than doubled to over 1,100 reports per month. The average total loss amounts stemming from BEC schemes saw similar increases, with the average monthly losses rising from $110 million to over $300 million between 2016 and 2018.
The Advisory notes that the three top target industries for BEC schemes are: (1) manufacturing and construction (25% of reported cases); (2) commercial services (18%); and (3) real estate (16%). Manufacturing and construction companies are likely targeted with greater frequency because they tend to make frequent wire payments to numerous suppliers and also because more client information is publicly available for these businesses. The Advisory also discusses increases in BEC activity in other industries. For example, dozens of government organizations have been targets of BEC fraud, with such thefts typically targeting “accounts used for pension funds, payroll accounts, and contracted services.” Educational institutions – which regularly conduct and receive high dollar transactions in the form of tuition payments, endowments, grants, and renovation and construction costs, among others – are also increasingly the targets of BEC schemes. While only approximately 2% of all BEC schemes affect schools and universities, the education sector has “the largest concentration of high-value BEC attempts.” In addition, some BEC schemes are directly targeted at financial institutions – including in situations where criminal actors send emails that appear to be from a financial institution’s SWIFT department with payment instructions and SWIFT reference numbers in the emails in order to enhance their apparent legitimacy.
With respect to how the BEC schemes are actually effectuated, FinCEN found that, in 2018, the most frequently used BEC methodology involved the use of fraudulent vendor or client invoices, which accounted for approximately 39% of BEC schemes. In addition, in a notable change from previous years, FinCEN found that the majority of BEC schemes affecting U.S. financial institutions and their customers now involve initial funds transfers to domestic, rather than foreign, bank accounts. According to the Advisory, FinCEN expects that BEC perpetrators will continue to refine their methodologies and strategies in order to evade detection by victims and, therefore, ensure the greatest likelihood of financial success.
The release of the Advisory is yet another reminder to companies of the importance of devising and maintaining a system of policies, procedures, and internal controls attuned to BECs and other cyber-enabled frauds. Specifically, companies should consider how they can enhance their payment authorization procedures and verification requirements for vendor information changes. In addition, companies should examine their account reconciliation procedures and outgoing payment notification processes to ensure that payments resulting from fraud are detected and stopped. Companies must also look to enhance their training of employees about BECs and other cyber-related threats, as well as the relevant internal policies and procedures governing issues such as payment authorization and verification.