The entire banking industry, including MidWestOne Bank, has seen a recent increase in fraudulent wire transfer attempts. Scammers have been using a tactic known as “Business email compromise,” or BEC, to target employees and trick them into wiring them money by posing as someone within the organization, such as a CEO or CFO.
According to the FBI, law enforcement has received complaints from victims in every U.S. state and in at least 79 countries, resulting in more than 17,000 victims. This amounted to more than $2.3 billion in losses. What’s more, the FBI has seen a 270 percent increase in identified victims and exposed loss since January 2015.
Because we care about your business and your success we want to make you aware of the fraud and share tips on how you can avoid it.
How does BEC work?
BEC, also known as “CEO fraud” or the “man in the middle” scheme, is an attack that tricks an individual into transferring money to a criminal’s bank account in response to an email that seems legitimate to the recipient.
One of two things generally happen:
- Cybercriminals gain access to the email account of a company executive or a member of the finance team through social engineering or other computer intrusion techniques; or
- An email is received that appears to be from an executive of the company, but is instead from a domain set up by the cybercriminals to look similar to the company’s domain. For example, if the target company’s domain was “flash.com” the thieves might use “f1lash.com” (substituting the letter “L” for the numeral 1) or “flash.co.”
The email that is received by an employee of the company requests that funds be wired immediately per the given instructions. In some cases, there is even a reason in the email noting why this wire transfer is so urgent.
Who is being targeted?
There is no profile for businesses who are being targeted. According to the FBI, victims range from large corporations to tech companies, to small businesses, to non-profit organizations.
What’s unnerving is that scammers conduct research to learn about the employees in a company who manage the money, as well as the protocol necessary to perform wire transfers within that business environment. In some cases, they gather that information through a phishing scheme. In others, businesses may be victims of ransomware or other cyber intrusion prior to the attack.
Why has this scam been so successful?
BEC scams have become one of the more popular and versatile scams because perpetrators are able to pose as victim’s colleagues. This – tied with an “urgent” deadline – often results in people skipping procedures that may have been established as safeguards.
It’s important to note that in traditional phishing scams, the attackers interact with the victim’s bank directly. But in the BEC scam the perpetrators trick the victim into doing that for them. This makes it all but impossible to get the money back after it’s been wired.
According to the security news blog Krebs on Security, The FBI’s number show that the average loss per victim is around $100,000. Nonetheless, there are a number of publicized scams that have resulted in much higher amounts. One example is the tech firm Ubiquiti Networks, which disclosed in a quarterly financial report that it suffered a huge $46.7 million hit because of a BEC scam.
What can you do?
First and foremost – be vigilant! If something feels “fishy” about an email asking to wire money, listen to your gut and follow up with the person who’s (supposedly) asking for the wire transfer in person or via phone to confirm the request.
It’s best to establish a specific process for wire transfers within your company – especially if it’s alarge amount. The FBI urges businesses to adopt two-step or two-factor authentication for email, where available, or to establish other communication channels — such as telephone calls — to verify significant transactions. In other words, a wire transfer could not occur until it has been confirmed using a second method of communication.
It’s also important to be aware of information you are posting about your business online. Attackers perpetrating these schemes often will try to discover information about when executives at the targeted organization will be traveling or otherwise out of the office through social media platforms.
Below are links to resources containing further information to help identify and combat BEC and other types of fraud:
- MidWestOne Bank’s Annual Security Training (Password is Business)
- MidWestOne Bank’s Business Online Cash Manager Security Guide
MidWestOne Bank is proud to partner with you as we strive to make electronic banking as safe and efficient as possible. If you’ve got any questions, just contact your local business banker!