August 2019 Tech Tip - Business Email Compromise (BEC): The Cyber Crime Threat Turning Dreams Into Nightmares

by Rahul Gupta

In 2018, cyber-crime victims across the United States lost an estimated $1.2 billion to Business Email Compromise (BEC) fraud according to the FBI’s latest Internet Crime Complaint Center (IC3) annual report published last month. Internet Crime Complaint Ctr., 2018 Internet Crime Report (2018), https://www.ic3.gov/media/annualreport/2018_IC3Report.pdf. BEC is a type of fraud in which cyber-criminals use spoofed email accounts and altered wiring instructions to dupe victims into sending high dollar wire transfers. Targets of BEC fraud are usually businesses that routinely use wire transfers, such as vendors requesting payment from corporations, law firms sending settlements to their clients, or escrow companies sending buyers wiring instructions to purchase real estate. The cyber-criminal uses the fake email account to pose as a trusted party to the transaction. These financial losses due to BEC can result in the loss of a person’s life savings, retirement, or even shut down an entire business. The BEC epidemic has become widespread: the FBI estimates domestic and international victims have lost over $12 billion over only a five-year period, from 2013 to 2018 due to BEC cyber fraud. Internet Crime Complaint Ctr., Business E-Mail Compromise the 12 Billion Dollar Scam, (July 2018), https://www.ic3.gov/media/2018/180712.aspx.

The façade of trust created by email has caused BEC to proliferate but made it hard to prosecute because the cyber-criminals are often located in foreign countries. To execute a BEC fraud, the cyber-criminal will either infiltrate the email account of a party to a transaction to monitor their correspondence or simply send a spoofed email to one party pretending to be a trusted party to the transaction. For example, a cyber-criminal may send a spoofed email to the accounting department posing as the company CEO requesting an immediate wire transfer to secure a new client. BEC is so effective because the spoofed email looks almost identical to a legitimate email address but replaces one letter with another character that is hard to distinguish. For example, if the legitimate email address for John Doe, the CEO at “Real Company,” was john@realcompany.com, the spoofed email could easily be john@rea1company.com. The lower case “l” in the legitimate email address is nearly indistinguishable from the number “1” in the spoofed email address. Now, when the accountant receives fraudulent wiring instructions from the spoofed email address, the accountant rarely checks to see if the sender is in fact the actual CEO, John Doe. The accountant believes he or she is following orders from the CEO. But the actual CEO has no knowledge of the transaction because the accountant was corresponding with the BEC cyber-criminal. Although spoofed email addresses look similar to legitimate email addresses, the content of BEC emails will often have grammatical or formatting errors and usually request payment under some false sense of urgency.

California has the unique distinction of being the number one target for cyber criminals in the United States, according to the FBI. Through the IC3 website, www.ic3.gov, set up exclusively for victims to report cyber-crime, the FBI compiles complaints from all fifty states to identify national cyber-crime trends, including the exponential growth of BEC. According to IC3 complaints submitted to the FBI in 2018, California leads the nation in total number of cyber-crime victims, over 49,000, and in total estimated financial loss to cyber-crime, over $450 million.

The recent example of Jane Doe highlights the growing risk of BEC here in Orange County. Jane Doe thought she had found the house of her dreams and negotiated a purchase price of approximately $1.2 million. Modern technology made buying the house easy using email to communicate with her agent, bank, and escrow company. Jane Doe was elated when the escrow company finally sent her an email with the wiring instructions to close the deal. She quickly wired the money to make her dream a reality. The following day, Jane Doe called her escrow company to confirm receipt of the funds. That is when her dream quickly became a nightmare. Jane Doe’s escrow company had never emailed wiring instructions to her nor received the $1.2 million. The email with wiring instructions was a fraudulent BEC. The cyber-criminal used a spoofed email address posing as Jane Doe’s escrow company, altered the wiring instructions, and duped Jane Doe into wiring her $1.2 million into a fraudulent bank account. Luckily, for Jane Doe, she contacted her bank immediately, and Orange County law enforcement was able to get back almost all of her $1.2 million in time for her to still close escrow and purchase her dream home. Unfortunately, the digital trail led overseas and the cyber-criminal was never caught.

Here are some simple suggestions to help protect you and your business from becoming a victim of BEC:

  • Always treat any email requesting payment by wire transfer with heightened scrutiny.
  • Always double-check the email address requesting payment by wire transfer to ensure it is a legitimate email address.
  • Look for grammatical or formatting errors or a “sense of urgency” in any email requesting payment by wire transfer.
  • Before sending a wire transfer, always call the intended recipient of the funds to confirm the wiring instructions are legitimate.
  • After sending the wire transfer, always call the intended recipient of the funds to confirm receipt of the funds.
  • Have a set protocol in place for wire transfers and ensure all employees follow protocol.
  • Have the contact information for your bank manager and local law enforcement agency readily available.

If you are a victim of BEC in Orange County, there are many resources available. However, time is of the essence. The United States banking system usually processes wire transfers within twenty-four to forty-eight hours after the initial request. Therefore, you must contact your bank as soon as possible after the funds have been wired to the fraudulent account. After contacting your bank, it is important to contact both your local law enforcement agency and the FBI. You can contact your local police agency through their non-emergency phone number and file a police report. For those living or doing business in an area patrolled by the Orange County Sheriff’s Department, the Sheriff has established Orange County’s first and only full-time, dedicated Cyber Crimes Detail which can be reached at 714-647-7000. In all other areas of the county, please contact your local police agency. Additionally, for victims of real-estate-related fraud throughout the county, including BEC wire fraud, the Orange County District Attorney’s office can be reached at REFraud@da.ocgov.com. The FBI maintains a specific website to report BEC crimes, found at www.bec.ic3.gov.

Rahul Gupta is a Senior Deputy District Attorney at Orange County District Attorney’s Office.