How email scammers infiltrate businesses to make costly transfers

The idea of an email scam may bring to mind the clumsy phishing cons from the early days of online banking, but the tactic's latest incarnation is a bigger threat than ever.

This month, the FBI announced the arrests of 74 individuals in a major global crackdown on “business email compromise” scams, one of the most lucrative forms of online fraud. BEC scams generally operate along standard lines — victims are specifically targeted and sent carefully crafted emails aiming to trick them into making payments to the scammers.

The scammers targeted included members of what the FBI calls “transnational criminal organizations,” aka global crime gangs, but also extended to money mules charged with cashing out and laundering funds stolen via email fraud.

There were 42 arrests in the U.S., 29 in Nigeria and several more around the world in the culmination of a six-month campaign dubbed Operation WireWire, run in conjunction with the U.S. Department of Justice, Department of Homeland Security, Department of the Treasury and the Postal Inspection Service.

BEC schemes generally take the form of a message from a high-ranking corporate executive sent to a junior employee, demanding that a transaction be made asap. The mail is made to look legitimate by using details gleaned from the web or social media, and either uses the sender’s real email account hijacked by the scammers, or fakes the email information to make it look like it came from the purported sender. The message of course provides details of a bank or other recipient to send the funds to, which is in the control of the scammers.

Many businesses will have received such crafted messages, particularly those engaged in global activities which involve a lot of international wires. Email compromise scams also affect individuals, with a particular focus on homebuyers, as they tend to make far bigger single fund transfers than anyone else.

In this scenario, the scammer might pose as the homebuyer’s lawyers, contacting them just as a payment becomes due to request they change the bank details they will send the payment to. It also works the other way around, with at least one reported case in the U.K. of a law firm being tricked by a scam email pretending to come from a property seller they were holding funds for.

In cases where the criminals have actually gained access to the email accounts of their victims, timing of attacks and making messages appear legitimate are easy, as they can monitor communications and figure out exactly when the victim most expects to be making a large payment.

Even without such direct access, it is often simple to work out who at a given company has the power to initiate large transfers, and who might be asking them to do so, or even to figure who is about to buy a house and who their lawyers and bankers might be, all from publicly accessible records and other information posted online.

Once a payment has been made, the funds are often moved on rapidly to prevent banks freezing suspect accounts and returning the defrauded funds. This type of fraud is referred to as “authorized push payment” (APP) scams — given that the payments were made voluntarily by the legitimate account holders, there is little redress or hope of compensation from banks, which are usually much more supportive in cases where there are indications of improper use of the bank account by a third party.

To address this imbalance, the U.K.’s Payment Systems Regulator (PSR), founded in 2015, has been developing a new industry code to provide guidance to payment service providers on how to handle victims of APP scams, including those driven by email compromise.

Back in February the PSR announced the outcome of a consultation on the topic, run from November 2017 to January 2018, promising to build out a first draft of the new code by September and full adoption expected as soon as “early 2019.”

Just where the balance of responsibilities will fall between payment providers and customers will become clear when the new code is released, but it seems certain that this type of fraud will continue to grow, regardless of who ends up out of pocket.

Vigilance in digital security and corporate financial controls will remain vital, as will the last resort of arresting and prosecuting the scammers in campaigns like the FBI’s Operation WireWire.