When Fraudsters Infiltrate Your Email

Most businesses will become the target of scams at least once. Criminals will try anything to get their hands on all of your funds, and they’re becoming more and more sophisticated about doing just that. One of the most common types of fraud is Business Email Compromise, or BEC. In BEC, a person or organized group hacks into a business’s internal email system. They could spend weeks or months watching what is being sent and to whom in order to figure out who they can trick into sending them money.

During a fraud prevention lecture hosted by IBERIABANK on May 22, 2019, Eric Rommel, Special Agent in Charge of the FBI New Orleans office, explained that fraud perpetrated on businesses, especially BEC, is becoming increasingly common, and any business can fall victim to it. $2.7 billion from American companies was lost to fraudsters in Business Email Compromise scams in 2018 alone. The FBI’s Internet Crime Complaint Center (IC3) Asset Recovery Team was able to recover some of the money by halting the funds at the financial institutions where the fraudsters had the money sent to, but much of it is gone for good. The fraudsters are rarely caught because the countries where they operate, mostly China and Russia, won’t extradite their own.

BEC can be completed in a number of ways. A common scenario is the hacker or organized criminal group will send a convincing email using an employee or vendor’s email address to someone within the company that has the authority to make payments from the company’s funds. Feeling as though their coworker or trusted vendor is asking for the money, they will send a wire transfer request to their bank asking to send the money to another bank. By the time the company realizes that their money is being siphoned to a fraudster and not the person they believed was requesting it, they could have lost thousands or millions of dollars.

Charles Montelaro, Director of Security and BCP of IBERIABANK, said, “You’re lucky if you can get back 50% of smaller fraudulent wire transfers.” He continued to say that banks were more often the target of wire fraud scams in the early 2000s, and these scams were often done by fax. The fraudsters would take legitimate signatures off of documents and paste them onto wire transfer forms before faxing it to initiate a transfer. Now, businesses are more often targeted through seemingly legitimate emails.

Charles identified four major scam types: business executive scams, supplier swindles, bogus invoices, and personal data scams. All of these scams involve fake emails sent from scammers trying to manipulate people into sending money out of their accounts. Executive scams or executive fraud involves the scammers claiming they’re high-level executives within the company or the company’s legal representation, and they need money transferred discreetly or quickly to handle a sensitive matter. Supplier swindles and bogus invoices are identified by emails that seem to be sent from a company’s vendor, and they require payment sent to an account that they just opened at a different financial institution. Personal data scams can involve an employee being tricked into sending out their own personal information or divulging the personal information about employees that can be used to create more convincing fraudulent emails in the future.

Eric Rommel stated, “Once it’s on the internet, it stays on the internet. The threat is always there.” According to the FBI’s Internet Crime Complaint Center, BEC have grown 2,370% since 2015. If you suspect that your business’s email system has been compromised, you can file a complaint with IC3 at the FBI’s Internet Complaint Center. Charles Montelaro also suggested protecting your business’s funds by using controls that require multiple people within the company to approve fund transfers, contacting the payee via phone to confirm that they’re requesting money, regularly changing email passwords across the company and asking everyone to do a full logout when out of the office, and maintaining firewalls and antivirus software.

Scammers will never cease trying to take your business’s money. Staying vigilant about scams and ensuring your money is going to the right people can help stop fraud in its tracks.

← News and Insights