Proactively Protect Your Business from Becoming a Victim of Cyber Fraud

It is our goal to keep you informed of the latest techniques cyber criminals have developed to jeopardize the security of your company’s financial transactions. There is a rapidly growing “Business Email Compromise Scam”1 that has affected thousands of small and large businesses, resulting in significant financial loss. 

Please share this information with officers and employees at your business that are able to initiate and/or conduct financial transactions. If you believe your account information has been compromised, please contact Mechanics Bank immediately at 800.797.6324.

Synopsis of a Typical “Business Email Compromise Scam”

Fraudsters penetrate a company’s network using a spear-phishing attack and/or malware to observe its vendors, billing systems, the CEO’s style of email communication and travel schedule. This information is then used in a scam designed to deceive company employees and vendors who are responsible for executing financial transactions into wiring funds to accounts that are controlled by the fraudsters. Businesses that pay invoices to foreign suppliers as well as fiduciaries that regularly send wire transfer payments are most commonly targeted. 

The Federal Bureau of Investigation (FBI) identifies 5 primary versions of the scam:

  1. Business Executive Scam (aka “CEO Fraud,” “Masquerading,” and “Financial Industry Wire Frauds”)
    The email address of a high-level business executive (CEO, CFO, CTO, etc.) is either hacked or spoofed to look legitimate. In the case of spoofing, a few letters of a legitimate email address and/or domain name are altered, making the slight difference difficult to detect. This often is achieved by removing one repeated letter or number, for example:

    “Johndoe@californiasupplyco.com” becomes “Johndoe@californiasuplyco.com” 

    The hacked or spoofed email address is then used by fraudsters to request that an actual company employee who is responsible for processing financial transactions wire funds into their account. This can also be attempted by contacting the company’s financial institution directly. 
  2. Bogus Invoice Scheme (aka “The Supplier Swindle” and “Invoice Modification Scheme”)
    A request to complete an invoice payment via wire transfer is made by fraudsters who closely monitor the way a company’s trusted vendors handle their receivables. While most of the invoice information and formatting mimics a legitimate payment request the targeted company is familiar with, the wire instructions are changed so that funds are sent to the fraudster-controlled accounts. This can be initiated via telephone, fax, or email.
  3. Personal Email Hack
    An employee of a company that may sometimes use his or her personal email address for business purposes is spoofed or hacked and then used to request invoice payments from vendors to fraudster-controlled bank accounts. The company may not become aware of the fraudulent requests until they are contacted by a vendor to follow up on the status of an invoice payment.
  4. Data Theft
    Seemingly legitimate emails are sent from spoofed or hacked email addresses requesting private information including Tax Statement (W-2) forms or a company list of Personally Identifiable Information (PII). While this scenario may not involve a wire transfer request, it is indicative of the targeted business executive’s email being compromised which will likely be used for future fraudulent transaction requests. Additionally, the Personally Identifiable Information that was exposed is now in the hands of fraudsters who may personally target these individuals.
  5. Impersonation of an Attorney
    Fraudsters who claim to have the authority to handle confidential and/or urgent matters on behalf of an individual or business call or email targeted companies and pressure them to wire funds into the fraudster-controlled account. This type of scam is often initiated toward the end of a business day or work week to coincide the close of business of international financial institutions.

A “Business Email Compromise Scam” attempt will likely be successful if:

  • Targeted companies use open source email (e.g. gmail) for business and personal use as they are more susceptible to being hacked by means of “phishing” – a virtual trap set by cyber thieves that uses official-looking emails to lure victims to fake websites and trick them into revealing personal information or into clicking links that install malware.
  • Fraudulent emails are tailored to the particular business and closely mimic a legitimate email request. Common language, phrases and jargon used within the business are often included in the fraudulent email messages. For example, the phrases “code to admin expenses” and “urgent wire transfer” are commonly used.
  • Individuals within the company responsible for wire transfers are identified and directly targeted.
  • The dollar amounts of the wire requests are typical for the business to prevent suspicion.
  • Fraudulent emails received have coincided with business travel dates for executives whose emails were hacked.

Suggestions for Protection and Best Practices

  • Out of Band Verification: Implement policies and procedures requiring a telephone or in-person verification with the individual or company officer who originates wire requests via email, text, or fax, before the wire transfer is initiated.
  • Review and Approval: Have a secondary person within your company review and approve all wire transfers before sending them to the bank for processing.
  • Delete Spam: Immediately delete unsolicited email (spam) from unknown parties. Do NOT open spam email, click on links or open attachments contained in the email.
  • Never follow a link to a website from an email:  Always enter the URL manually.
  • Create intrusion detection system rules:  Flag emails with extensions that are similar to company email. For example, legitimate email from abc_company.com would flag fraudulent email from abc-company.com.
  • Forward vs. Reply: Do not use the “Reply” option to respond to any business emails. Instead, use the “Forward” option and either type in the correct email address or select it from the email address book to ensure the intended recipient’s correct email address is used.
  • Train all employees to recognize “red flags ” of suspicious requests, which may include:
    • Unusual language or content in the email communication
    • Urgent requests or requests to act quickly on a financial transaction
    • Requests to keep the transaction in secrecy
    • Requests made at unusual times
    • Instructions to send funds to bank accounts that differ from accounts where funds have been transferred in the past            
    • Sudden changes in business practices (e.g. requests to be contacted via a personal email address when all previous correspondence has been via a company email)
  • Avoid free web-based email (gmail, yahoo!, etc.) : Establish a company website domain and use it to create company email accounts in lieu of free, web-based accounts and refrain from using personal email accounts for business purposes.
  • Most companies, banks, agencies, etc., don’t request personal information via email. If in doubt, give them a call, but do not use the phone number contained in the email as that number usually is phony as part of the scam.
  • Use a Phishing Filter when using the internet:  Many of the latest web browsers have Phishing Filters built in or offer them as a plug-in. 

For complete information about the “Business Email Compromise Scam”, other internet crime schemes and internet crime prevention tips or to file a complaint, visit the Internet Crime Complaint Center (IC3) website.

1. Business Email Compromise: The 3.1 Billion Dollar Scam, Internet Crime Complaint Center (IC3). Federal Bureau of Investigation, June 14, 2016. https://www.ic3.gov/media/2016/160614.aspx