Piracy of the 21st Century – The Business E-Mail Compromise Scam
The business climate today is dominated by computers and cyber threats are becoming more and more common. The Business E-Mail Compromise ("BEC") is a sophisticated scam targeting businesses working with foreign suppliers and/or businesses that regularly perform wire transfer payments. The E-mail Account Compromise ("EAC") component of BEC targets the specific e-mail addresses of individuals or accounting departments that perform wire transfer payments. The scam is carried out by compromising legitimate business e-mail accounts through social engineering or computer intrusion techniques to induce the transfer of funds from legitimate businesses to fraudulent accounts.
We have seen an increase in exposure and claims from companies who engage in international transactions and deal with business counterparts around the world falling victim to these scams. In discussions with agents from the FBI Internet Crime Complaint Center, we have been advised that while most people are sensitive to the old version(s) of e-mail scams, think the "Nigerian Prince Scam" or the spam e-mail confirming that you have won large sums of money just by clicking a link, the new generation of the BEC/EAC scam are increasingly sophisticated. International shipping in particular is a vulnerable target as the buyers and sellers in the transaction interact with each other primarily through e-mail.
The BEC/EAC scam is carried out by compromising legitimate business e-mail accounts in order to identify the individuals and protocols necessary to perform wire transfers. The basic scenario is that a business, which often has a long-standing business relationship with a supplier, is requested to wire funds for invoice payment to an alternate, fraudulent account. This request is usually made by e-mail and will appear to be from a legitimate address of what the victim company believes is their actual business partner. However, these "spoof" emails are entirely fraudulent and not from the real supplier/seller at all. These fraudulent e-mails are well-worded, specific to the business and/or transaction being victimized, have copies of the invoice and other business documents relevant to the transaction (previously stolen from the compromised e-mail account), and do not raise suspicions as to the legitimacy of the request. Charterers and Owners conducting numerous international transactions with bunker suppliers around the world are particularly susceptible to these e-mail scams. The reasons why these scams are successful are numerous, including:
- The targeted victims regularly complete deals over the internet;
- Shipping companies transact most deals through e-mail and international wire transfers;
- The e-mail communications are conducted in English, which often times is not the primary language of the individuals completing the transaction, so grammatical and/or spelling errors are not a red flag;
- Shipping companies and service providers often have numerous affiliates, subsidiaries, and/or related companies located in countries around the world (all of which would have bank accounts);
- The shipping industry is uniquely sensitive to pre-judgment arrest/attachment of assets and bank accounts around the world, so many companies in the industry have numerous legitimate business bank accounts in several different jurisdictions.
IAttempting to recover funds transferred as a result of this fraud scheme is very difficult. Once the fraudulent transfer is made, the funds are quickly transferred out of the originating account and to the beneficiary account. The funds can be available to the fraudulent account holder within one (1) business day. While an "alternate" account located in many countries would raise a red flag, having an alternate account in the United States does not raise the same concerns which is how the scheme has been so successful. Transfers by victims of the scam are made and the funds are withdrawn from the fraudulent account, many times before anyone is aware that anything is amiss. Unfortunately, the law in the United States is very protective of financial institutions. In the U.S., a bank owes no duty to a noncustomer. Eisenberg v. Wachovia Bank, N.A., 301 F.3d 220 (4th Cir. 2002). "[T]he mere fact that a bank account can be used in the course of perpetrating a fraud does not mean that banks have a duty to persons other than their own customers. To the contrary, the duty is owed exclusively to the customer, not to the persons with whom the customer has dealings." Id. at 225-26. Additionally, the federal statute requiring banks to identify their customers, the Bank Secrecy Act, does not create a duty to the noncustomer or a private cause of action. In re Agape Litig., 681 F. Supp. 2d 352 (E.D.N.Y. 2010); SFS Check, LLC v. First Bank of Del., 990 F. Supp. 2d 762 (E.D. Mich. 2013); AmSouth Bank v. Dale, 386 F.3d 763 (6th Cir. 2004); James v. Heritage Valley Fed. Credit Union, 197 F. App'x 102, 106 (3rd Cir. 2006). Banks located in the United States are not helpful to victims of the scam or the authorities investigating the fraud. U.S. banks have to be compelled through subpoena or Court Order to provide information about the account, even once it is known to them that the account was fraudulent and used in the commission of a crime.
We recommend several strategies in order to combat this latest iteration of the BEC/EAC scam to protect your company or member. Businesses with an increased awareness and understanding of the BEC/EAC scam are more likely to recognize when they have been targeted, and are therefore more likely to avoid falling victim and sending a fraudulent payment. Educating those employees and departments "on the front line" – those with the power to make wire transfers – will alert them to keep an eye out for potential scam attempts. Self-protection strategies include, inter alia:
- Avoiding free web-based e-mail accounts. Establish a company domain name and use it to create secure company e-mail accounts.
- Be suspicious of e-mails requesting secrecy or which pressure you to take quick/urgent action.
- Consider additional financial security procedures, such as a two-step verification process for sending wire transfers, especially when asked to send to a new or unknown account. For example, make a telephone call to the accounting department of the contractual partner to verify the account details. The phone call should be to a phone number you have previously been provided; DO NOT use a phone number given in the email requesting the wire transfer.
- Prior to initiating the wire transfer request the account holder name and address.
- Beware sudden changes in business practices. If a business contact suddenly asks to be contacted via their personal e-mail address or if there were previously three (3) or four (4) email addresses on the chain, the request may be fraudulent.
- Carefully scrutinize all e-mail requests for transfers of funds, especially the e-mail addresses. Often the e-mail address will be similar, but not exactly the same, as the actual e-mail address for the legitimate supplier/seller.
If funds are transferred to a fraudulent account, it is important to act quickly. Immediately contact your financial institution upon discovering the fraud. Request that your financial institution contact the corresponding financial institution where the transfer was sent, so a hold may be placed on the account before the funds are withdrawn.
If you believe you have been a victim of the BEC/EAC scam, we may be able to help. Chalos & Co, P.C. has experience liaising with the FBI, working with local state authorities, and subpoenaing bank records and can aid in returning the funds and/or freezing the fraudulent account.
For more information, please do not hesitate to call on us at firstname.lastname@example.org.