Tuesday, July 23, 2019

FinCEN: BEC far worse than previously believed

Last week FinCEN, the Financial Crimes Enforcement Network, put out a new advisory with information about Business Email Compromise and it is far worse than has been previously disclosed.
FinCEN Advisory: FIN-2019-A005

The FBI's Internet Crimes Complaint Center (IC3.gov) has previously called BEC a $12 Billion Scam.  As we shared in April in our post IC3.gov: BEC Compromises and Romance Fraud 2018, IC3.gov documented that during calendar 2018 $1.2 Billion was stolen from 19,140 companies just in the United States.  That averages out to $3.3 Million being stolen each day with 52 U.S.-based businesses falling victim each day.  But the IC3.gov reports are based on actual reports received from victims who fill out a Complaint Form on the IC3.gov website. We strongly encourage victims to report at IC3.gov, as it offers the ability to provide many additional investigative details.

Victims are STRONGLY encouraged to report at IC3.gov! 
The FinCEN approach was able to use a different intelligence source to gather their numbers and what they found was far worse than what the FBI has reported.  From October 2013 until May 2018, the FBI's IC3.gov gathered reports of $12 Billion in fraud, from all sources, both domestically and internationally.   FinCEN's previous BEC advisory shared that from 2013 to 2016, FinCEN had identified 22,000 cases of Business E-mail Compromise and E-mail Account Compromise with $3.1 billion in losses, or roughly $1 Billion per year.  The September 6, 2016 advisory was "Advisory to Financial Institutions on E-Mail Compromise Fraud Schemes [FIN-2016-A003]".  FinCEN's current advisory states that the new information is complementary to the 2016 advisory, and that the 2016 advisory contains many important details that will still be helpful to consumers and business account holders alike.

United States Businesses and Consumers have suffered $9 Billion in BEC Fraud Attempts since September 2016!
By comparison, FinCEN reports that  JUST SINCE September 2016 they have been able to document 32,000 cases of attempted theft via BEC fraud schemes totaling $9 Billion in theft attempts.  The rate of loss has increased by three-fold!  $9 Billion since September 2016 is approximately $8.7 MILLION DOLLARS PER DAY!!!

Some of the current top trends include:

Top Sectors Targeted in BEC:

1. Manufacturing and construction (25% of all cases)
2. Commercial services (18% of all cases)
3. Real Estate (16% of all cases)

The impersonation of top executives is still a major method of social engineering in these email attacks.  50% of attacks use an email claiming to be a CEO or President of the company.

Other Top Targets by Value in BEC: 
1. Governments - many governments have been targeted, especially small municipal government offices.  Targets often include pension funds, payroll accounts, and contracted services (which may be matters of public record.)  Vendor impersonation in the latter case is especially prevalent.

2. Educational Institutions - Just in 2016 - 160 incidents attempted to steal $50 million from educational institutions, and while in 2017, only 2% of attacks were against schools, the dollar value was far higher than average.  Tuition payments, endowments, grants, and renovation and construction costs are all high value transactions often conducted online.  Again, watch for vendor impersonation! Large-scale construction and renovation projects are often publicly announced, attracting scammers to the same projects.

3. Financial Institutions - while not a high percentage by sector, the attempted theft against FIs themselves often includes very high dollar values.  These often come in the form of SWIFT payment requests (used in international wire transfers.)

The First Hop is Domestic
While previous advisories mentioned that money is often sent overseas, it is important to understand that the INITIAL transfer of funds will likely stay domestic.  A person recruited as a money mule will often have opened the intermediary account in their own name or the name of a fraudulent business they have created for the purpose.  AFTER the first hop, the money still is likely to quickly move to China, Hong Kong, the United Kingdom, Mexico, or Turkey.  Often these money mules are recruited through Romance Scams, however others join willingly knowing they are going to earn a commission helping to launder money for criminals.  This quick "wire in - wire out" is referred to in the criminal world as "wire-wire jobs" and is the inspiration of the FBI and USSS's "Operation: Wire Wire" that we blogged about in a series of articles in June of 2018:
One other blog post of ours that "walks through" a case, end-to-end, including the mule's role:
Vulnerable Business Processes Compromised
FinCEN states that "BEC perpetrators identify processes vulnerable to compromise, whether through openly available information about their targets or through cyber-enabled reconnaissance efforts (enabled through methods such as spear phishing or malware), and then insert themselves into communications by impersonating a critical player in a business relationship or transaction."

These scams are enabled by "weaknesses in the victim's authorization and authentication protocols." 

The most common type of scam simply involves a request to change the payment destination of an already approved transaction.  If your business would allow someone to change where a six- or seven-figure payment is being sent on the strength of a single email, you are far more likely to be chosen as a victim than someone who requires rigorous vetting of such a change.

Opportunities for Information Sharing Related to BEC Fraud
The USA PATRIOT Act provides the ability for financial institutions to share information with one another to stop money laundering.  These requests are known as 314(b) requests and are specifically protected forms of information sharing.  (Fun fact: Did you know USA PATRIOT is an acronym?  "Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism.")  Click the image below to download the FinCEN 314(b) Fact Sheet.



If you are asked to wire funds or change a payment destination or otherwise gain information about a BEC Scam, FinCEN shares particular information about what details would be most helpful to law enforcement: 

Transaction details: 
1) Dates and amounts of suspicious transactions; 
2) Sender’s identifying information, account number, and financial institution; 
3) Beneficiary’s identifying information, account number, and financial institution; and 
4) Correspondent and intermediary financial institutions’ information, if applicable. 

Scheme details: 
1) Relevant email addresses and associated Internet Protocol (IP) addresses with their respective timestamps; 
2) Description and timing of suspicious email communications and any involved compromised or impersonated parties; and 
3) Description of related cyber-events and use (or compromise) of particular technology in the conduct of the fraud. For example, financial institutions should consider including any of the following information or evidence related to the email compromise fraud: 
  • a) Email auto-forwarding 
  • b) Inbox sweep rules or sorting rules set up in victim email accounts 
  • c) A malware attack 
  • d) The authentication protocol that was compromised (i.e., single-factor or multi-factor, one-step or multi-step, etc.)
For those who have the ability to file a SAR (a Suspicious Activity Report), FinCEN also requests that you choose SAR Field 42 (Cyber Event) for all of these scams, but then mark the scam with the key terms either "BEC FRAUD" or "EAC FRAUD" to differentiate between business victims and personal account victims.  Here is their guidance on both terms:

Email Compromise Fraud: Schemes in which 1) criminals compromise the email accounts of victims to send fraudulent payment instructions to financial institutions or other business associates in order to misappropriate funds or value; or in which 2) criminals compromise the email accounts of victims to effect fraudulent transmission of data that can be used to conduct financial fraud. The main types of email compromise, the definitions of which have been modified to reflect the expansion of victims being targeted, include: 

Business Email Compromise (BEC): Targets accounts of financial institutions or customers of financial institutions that are operational entities, including commercial, non-profit, nongovernmental, or government entities. 

Email Account Compromise (EAC): Targets personal email accounts belonging to an individual.