On July 12th, the FBI published a Public Service Announcement which included new statistical data about Business Email Compromise (BEC) and Email Account Compromise scams from the Internet Crime Complaint Center (IC3). These scams target businesses and individuals performing wire transfer payments.
The scam is frequently carried out when a subject compromises legitimate business email accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds. However, a variation of the scam involves compromising legitimate business email accounts and requesting Personally Identifiable Information (PII) or Wage and Tax Statement (W-2) forms for employees.
From October 2013-May 2018, there was a 136% increase in identified global losses. The total amount of losses exceeded $12 billion. Over 78,000 incidents were reported. The total number of U.S. victims was over 41,000.
BEC/EAC actors heavily targeted the real estate sector in recent years. Victims participating at all levels of a real estate transaction have reported such activity to IC3. This includes title companies, law firms, real estate agents, buyers and sellers. Victims most often report a spoofed email being sent or received on behalf of one of these real estate transaction participants with instructions directing the recipient to change the payment type and/or payment location to a fraudulent account. The funds are usually directed to a fraudulent domestic account which quickly disperse through cash or check withdrawals. The funds may also be transferred to a secondary fraudulent domestic or international account. Funds sent to domestic accounts are often depleted rapidly making recovery difficult.
Domestic money mules (what a term!) are frequently identified in connection with the BEC/EAC real estate trend. BEC/EAC actors often recruit money mules through confidence/romance scams. The BEC/EAC actor may groom a victim and then direct them to open accounts under the guise of sending or receiving funds as directed by the BEC/EAC actor. The accounts opened to facilitate this activity are typically used for a short period of time. Once the account is flagged by the financial institutions, it may be closed and the BEC/EAC actor will either direct the romance/scam victim to open a new account or move on to grooming a new victim.
From calendar year 2015 to calendar year 2017, there was over an 1100% rise in the number of BEC/EAC victims reporting the real estate transaction angle and an almost 2200% rise in the reported monetary loss.
BEC/EAC actors have been known to target all parties in a real estate transaction. The best defense is to verify all requests for a change in payment type and/or location. BEC/EAC actors often request that payments originally scheduled for check dispersal be made via wire instead. BEC/EAC actors may also request changes to the original recipient's financial information.
BEC/EAC actors will use information that is publicly available on real estate listing sites to target victims. This may include homes that are for sale and the progress of the sale such as "under contract" as well as the contact information of the real estate agent. Be wary of any communication that is exclusively email based and establish a secondary means of communication for verification purposes.
Be mindful of phone conversations. Victims have reported receiving phone calls from BEC/EAC actors requesting personal information for verification purposes. Financial institutions report phone calls acknowledging a change in payment type and/or location. Some victims report they were unable to distinguish the fraudulent phone conversation from legitimate conversations. One way to counter act this fraudulent activity is to establish code phrases that would only be known to the two legitimate parties.
Title Companies report establishing new procedures when processing legal documents requiring all changes in payment type and/or location to be verified prior to distributing funds.
If you discover a fraudulent transfer, time is of the essence. First, contact your financial institution and request a recall of the funds. Different financial institutions have varying policies; it is important to know what assistance your financial institution will provide when attempting to recover funds. Second, contact your local FBI office and report the fraudulent transfer. Law enforcement may be able to assist the financial institution in recovering funds. Finally, regardless of dollar loss, file a complaint with www.ic3.gov or, for BEC/EAC victims, https://bec.ic3.gov/. The IC3 will be able to assist both the financial institutions and law enforcement in the recovery efforts.
Most of Sensei's interactions are with law firms – and we can certainly confirm that we see these scams regularly and they are successful with alarming regularity. Make sure you have policies in place to prevent these scams from being successful and, for heaven's sake, train your employees about the nuances of these scams so they are prepared to recognize the warning signs and to make sure the instructions are properly verified before wiring funds or sending out W-2s or other personally identifiable information.
E-mail: email@example.com Phone: 703-359-0700
Digital Forensics/Information Security/Information Technology