Financial Fraud via Email Compromise
Recently I had a client that got an email that looked very legitimate. It looked like it was coming from the General Manager and going to the CFO asking for a check to be sent for $9000 for a project they were working on. The cyber-criminal addressed the CFO by name, had basic details about the project, and even mimicked the General Manager’s writing style. It took me a minute to verify that it was a phishing attack. Today, I read an article from Huntington Bank alerting to the same kind of criminal activity so I thought I would share that information with you as well.
Business Email Compromise Fraud – published by Huntington Bank January 2017
Within your day-to-day business operations, be on alert for a tactic used by cyber-criminals known as Business Email Compromise (BEC), also referred to as a “masquerading scheme”. It’s a payment fraud scam that continues to gain momentum. Here are some of the details:
Generally, a fraudster begins by hacking the email account of an executive at a company, often the CEO. The fraudster uses information obtained from the executive’s emails to send what appears to be a legitimate payment request (commonly wire transfer) to the employee(s) within the organization responsible for executing outbound transactions. Fraudsters will use various techniques to forge or “spoof” an email address, so that the email appears to come directly from the executive. As a result, the recipient of the email is duped into sending the requested payment to an account controlled by the fraudster.
Fraudsters can also compromise a vendor’s email, sending manipulated invoices to the vendor’s clients with fraudulent payment instructions.
There have also been several scenarios where the fraudster simply inserts themselves into the email traffic of a legitimate transaction being orchestrated between two parties (i.e. purchasing inventory, closing on a property, etc.), providing updated payment instructions at the last minute.
As always, it’s better to be safe than sorry. I’m glad my client asked about the email before cutting the check. Be safe out there!
