Fighting Business Email Compromise Fraud in the COVID Era

For as long as companies have used internet applications, private and publicly owned businesses, law firms and other professional services organizations, and even public entities have faced potentially devastating financial harm and loss of public good will from “business email compromise” (BEC) fraud.

A recent report by the Internet Crime Complaint Center (IC3) of the Federal Bureau of Investigation (FBI) found that BEC fraud was the crime that resulted in the highest reported losses. The IC3 indicated that, in 2019 alone, it received 23,775 BEC/email account compromise complaints, with adjusted losses of over $1.7 billion. See “2019 Internet Crime Report.” Moreover, the IC3 has found that losses from BEC scams overall have increased every year since it began tracking it in 2013. See “Cyber Criminals Conduct Business Email Compromise Through Exploitation of Cloud-Based Email Services, Costing US Businesses More Than $2 Billion,” (defining cloud-based email services as hosted subscription services that enable users to conduct business via tools such as email, shared calendars, online file storage, and instant messaging.)

BEC fraud has proliferated during the COVID-19 pandemic as bad actors exploit the challenges and workplace changes it has caused. See, e.g., “FBI Warns of Advance Fee and BEC Schemes Related to Procurement of PPE and Other Supplies During COVID-19 Pandemic,” (FBI warns government and health care industry buyers of rapidly emerging fraud trends related to procurement of personal protective equipment (PPE), medical equipment such as ventilators, and other supplies or equipment in short supply during the COVID-19 pandemic).

Federal authorities and regulatory groups continue to caution about BEC fraud and its growing prevalence. For example, in early May, the Financial Industry Regulatory Authority, Inc. (FINRA) issued a special alert warning the securities industry about BEC schemes, among other frauds. See “FINRA Reminds Firms to Beware of Fraud During the Coronavirus (COVID-19) Pandemic.”

Then, at the end of July, the Financial Crimes Enforcement Network (FinCEN) issued an advisory to alert financial institutions to potential indicators of cybercrime and cyber-enabled crime observed during the COVID-19 pandemic, including BEC fraud. See “Advisory on Cybercrime and Cyber-Enabled Crime Exploiting the COVID-19 Pandemic.”

After briefly explaining the elements of BEC fraud, including a recent instance prosecuted in New York, this column will suggest steps that companies can take to limit the risk of becoming another victim to this increasingly common crime.

What Is BEC Fraud?

The most basic form of a BEC scam essentially involves the same four common steps.

First, a criminal identifies a target and uses information available online to develop a profile of the company and its executives.

Then, the criminal contacts one or more company employees, often someone working in the finance department. The messages appear to come from a known source, such as a vendor the target company regularly deals with.

Next, the parties exchange information, with the victim believing that he or she is responding to a legitimate request and is conducting a legitimate business transaction involving a wire transfer using instructions provided by the fraudster.

Finally, the victim authorizes the wire transfer and funds are steered to a bank account controlled by the fraudster.

As the FBI has explained, there are various ways that criminals may carry out a BEC scam. A fraudster may:

• Spoof an email account or website. Slight variations on legitimate addresses ([email protected] versus [email protected]) can fool victims into thinking fake accounts are authentic.
• Send phishing emails. These messages look as if they are from a trusted sender to trick victims into revealing confidential information. That information lets criminals access company accounts, calendars, and data that gives them the details they need to carry out the BEC schemes.
• Use malware. Malicious software can infiltrate company networks and gain access to legitimate email threads about billing and invoices and let criminals gain undetected access to a victim’s data, including passwords and financial account information. Fraudsters use this information to time requests or send messages, so accountants or financial officers do not question payment requests. See, “Business Email Compromise.”

Fraudsters often “lurk” undetected in the network for extended periods of time—sometimes a year or more—until they effectuate the fraud based on the information they have collected. Frequently, their presence in the network is not detected until the fraud is completed and the purloined funds are retransferred to one or more successive accounts in other locations that were created for that purpose.

A $120 Million BEC Fraud

An actual BEC scam was at the heart of the 60 month prison sentence imposed late last year on a Lithuanian citizen, Evaldas Rimasauskas, in the U.S. District Court for the Southern District of New York. According to the U.S. Attorney for the Southern District of New York, the fraud induced two U.S.-based internet companies (identified by prosecutors as the “Victim Companies”) to wire a total of over $120 million to bank accounts Rimasauskas controlled. Before being sentenced, Rimasauskas pleaded guilty to one count of wire fraud.

The government explained that, beginning in or around 2013 and lasting through in or about 2015, Rimasauskas orchestrated a fraudulent scheme designed to deceive the Victim Companies—a multinational technology company and a multinational online social media company—into wiring funds to bank accounts he controlled.  Specifically, the government asserted, Rimasauskas registered and incorporated a company in Latvia (“Company-2”) that bore the same name as an Asian-based computer hardware manufacturer (“Company-1”), and opened, maintained, and controlled various accounts at banks located in Latvia and Cyprus in the name of Company-2.

Thereafter, fraudulent phishing emails were sent to employees and agents of the Victim Companies, which regularly conducted multimillion-dollar transactions with Company-1, directing that money the Victim Companies owed Company-1 for legitimate goods and services be sent to Company-2’s bank accounts in Latvia and Cyprus, which Rimasauskas controlled.  These emails purported to be from employees and agents of Company-1 and were sent from email accounts that were designed to create the false appearance that they were sent by employees and agents of Company-1. The government contended, however, that the emails were neither sent nor authorized by Company-1 and that the scheme succeeded in deceiving the Victim Companies into complying with the fraudulent wiring instructions.

The government asserted that, after the Victim Companies wired funds intended for Company-1 to Company-2’s bank accounts in Latvia and Cyprus, Rimasauskas caused the stolen funds to be quickly wired into different bank accounts in various locations throughout the world, including in Latvia, Cyprus, Slovakia, Lithuania, Hungary, and Hong Kong.

COVID-19 has led to increases in fraud, including BEC fraud. The FBI recently cited examples of attempted BEC fraud involving COVID-19. See, “FBI Anticipates Rise in Business Email Compromise Schemes Related to the COVID-19 Pandemic.” According to the FBI:

• A financial institution received an email allegedly from the chief executive officer of a company who had previously scheduled a transfer of $1 million, requesting that the transfer date be moved up and the recipient account be changed “due to the coronavirus outbreak and quarantine processes and precautions.” The email address used by the fraudsters was almost identical to the CEO’s actual email address with only one letter changed.
• A bank customer was emailed by someone claiming to be one of the customer’s clients in China. The client requested that all invoice payments be changed to a different bank because its regular bank accounts were inaccessible due to “Corona Virus audits.” The victim sent several wires to the new bank account for a significant loss before discovering the fraud.

Lowering Risks

It would be a mistake, however, to assume that BEC fraud is aimed exclusively at large companies and financial institutions. To the contrary, smaller business enterprises and professionals often are targeted as their more “casual” social environment and fewer technological protections may make them more vulnerable than bigger, regulated businesses.

There are important steps that all companies can take to lower the risk of falling victim to a BEC fraud. For instance, all employees, including management, should know the red flags of BEC fraud, such as when a customer’s transaction instructions contain different language, timing, and amounts in comparison to prior transaction instructions, when the instructions contain multiple grammatical and typographic errors, or when emailed transaction instructions direct payment to a different account for a known beneficiary or request to move payment methods from checks to ACH transfers.

In addition, the FBI suggests educating employees to:

• Be careful about sharing information online, including on social media. That information can allow fraudsters to guess passwords or answer security questions.
• Avoid clicking on anything in an unsolicited email or text message asking to have account information updated or verified.
• Look up the actual phone number of the company associated with the incoming email or text message instead of relying on the information the potential scammer has provided, and then call the company directly at the phone number that was independently obtained to ask if the request in the email or text message is legitimate.
• Carefully examine the email address, URL, and spelling used in any correspondence.
• Be careful when downloading a file, not open an email attachment from a stranger, and be wary of email attachments that are forwarded by others.
• Set up two-factor (or multi-factor) authentication on all email accounts that allow it, and never disable it.
• Verify payment and purchase requests in person if possible or by calling the authorizing person at the company to make sure it is legitimate using a phone number that the caller has independently verified.
• Verify any change in account number or payment procedures with the person who appears to be making the request, in person or through a known telephone number.
• Be especially wary if the requestor is pressing for quick action. See “Business Email Compromise.”

Of course, if a company falls victim to a BEC fraud, it should immediately contact its financial institution and request that it contact the financial institution to which its funds were wired; that may allow the funds to be recovered before they are transferred out of the receiving institution. The company should also speak with legal counsel about whether and how to report the crime.

BEC fraud likely will be with us for quite some time to come. Undoubtedly, it also will morph into different forms. Imagine the trouble that a “deepfake” involving audio created to be that of a corporate executive can cause when combined with a BEC fraud. This is more than just a theoretical concern. Earlier this year, Federal Trade Commission staff examined voice cloning technologies that enable users to make near-perfect reproductions of a real person’s voice, observing that advances in artificial intelligence and text-to-speech (TTS) synthesis have allowed researchers to create a near-perfect voice clone with less than a five second recording of a person’s voice.

The bottom line: Now more than ever, all employees must be vigilant to lower the risk of BEC fraud.

Reprinted with permission from the August 17, 2020 issue of the New York Law Journal. © ALM Media Properties, LLC. Further duplication without permission is prohibited. All rights reserved.