The Financial Crimes Enforcement Network (FinCEN) has issued the an advisory to make financial institutions and related entities aware of growing e-mail fraud schemes. Below are some highlights from the advisory.
* Two main types of e-mail fraud
o Business E-Main Compromise (BEC) - where the targets are a financial institution's commercial customers
o E-mail Account Compromise (EAC) - where the targets are a victim's personal account
* Since 2013 there have been approximately 22,000 reported cases of BEC/EAC, involving $3.1 billion dollars
* Three Main Stages of BEC/EAC Schemes
o Stage 1 - Compromise Victim Information and E-Mail Account
- Performed through social engineering where the criminals exploit e-mail weaknesses to obtain sensitive information about a transaction or parties
o Stage 2 - Transmitting Fraudulent Transaction Instructions
- Criminals use the above obtained information to redirect funds, through changed wire instructions
o Stage 3 - Executing Unauthorized Transactions
- Criminals trick the employee of a financial institution into effectuating wire transfers that appear legitimate but are in fact unauthorized. Often this involved foreign bank accounts located in China/Asia.
* Common BEC and EAC Fraud Red Flags
o New transaction instructions which contradict previously received instructions
o Different email account providing new instructions. Note these are often subtitle
o Instructions directing payment to a beneficiary not a party to the transaction
o Instructions directing wire transfers to foreign banks - note ALTA Best Practices
recommends that international wire blocks be on all escrow accounts, if available.
o Emails with language marked Urgent/Secret/Confidential
o Emails with instructions that, if followed, will not allow the parties to adequately vet the
sender or modified changes.
- Note that ITIC requires verification of all wire instructions received via email
prior to instituting a wire transfer.
|