The Federal Bureau of Investigation (“FBI”) issued Public Service Announcement (“PSA”) I-082715a, updating a previous PSA describing the “Business E-mail Compromise.” The FBI defines the Business E-mail Compromise as “a sophisticated scam targeting businesses working with foreign suppliers and/or businesses that regularly perform wire transfer payments. The scam is carried out by compromising legitimate business e-mail accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds.” The attack often leads to business wire transferring substantial funds (amounts in the hundreds of thousands or millions of dollars) directly to bogus bank accounts set up by the thieves. The majority of these attacks send funds to banks in the Far East.
These attacks have been highly successful for the attackers, resulting in losses of approximately $750 million from over 7,000 U.S. businesses according to the FBI. Including amounts reported from international companies and identified by international law enforcement agencies, a total of more than $1.2 billion in funds has been exposed during these attacks, with fraudulent transfers tracked to 72 different countries.
It is important to be aware of these attacks in order to prevent them, and if companies act quickly, it may be possible to recover some or all of the wired funds with some legal assistance.
One example of the Business Email Compromise that is being seen with increasing frequently is as follows:
- The e-mail accounts of high-level business executives (CEO, CFO, CTO, etc.) are targeted and/or compromised. Frequently, this is accomplished through a targeted phishing attack, allowing the attacker access to the account, or spoofing the account, mimicking the account with a slight variation such as using zeros in the place of a letter “O” so that the address appears accurate. Next, the attacker will send a request (that looks like it comes from a legitimate high level business executive) for a wire transfer from the compromised account to a second employee within the company who is normally responsible for processing these requests. In some instances a request for a wire transfer from the compromised account is sent directly to the financial institution with instructions to urgently send funds to bank “X” for reason “Y.”
These attacks are sophisticated and require significant attention to detail and knowledge about the target company’s operations. Attackers often learn this information through social engineering and extensive research of the targets.
Norton Rose Fulbright has extensive experience representing businesses that have been targets of the Business E-mail Compromise and other similar attacks. Consistent with the trends reflected in the FBI’s updated PSA, our experience assisting with these type of attacks has shown that, over the last three years, frauds involving hacking of email accounts and internet banking, spoof emails, spoof cashiers orders and other instruments and occasionally the impersonation of lawyers have increased dramatically in number and degree of sophistication. Furthermore, the amounts of money implicated in attacks that we have assisted in have increased from approximately $300,000 to more than $10 million.
Our experience assisting with these types of attacks has revealed several common trends and characteristics:
- Historically, these attacks tended to target banks and financial institutions; however recently, the trend is for the attacks to be directed at bank customers.
- Targets tend to be businesses based in the United States, Canada, or Australia rather than Asia or Europe.
- Victims come from various industries—including retail manufacturing, technology, and law firms.
- The attackers frequently appear to be based in Asia; however these appearances can be misleading.
- The attackers may be based elsewhere and the people in Asia may be merely executing the scams.
- We have assisted the victims of these attacks by taking legal action in Hong Kong, which is where the funds are often received.
- There are several theories circulating about who is behind these scams, including stories attributing attacks to large crime syndicates and even to the authorities of certain countries.
- Although various law enforcement agencies involved in investigating these attacks tend to co-operate with one another, they do not seem to be taking any effective action to curtail criminal activity.
- A common tactic is for the attackers to divide the stolen funds and transfer them again and again to multiple bogus bank accounts so that tracing the funds becomes so time consuming and costly that the victim eventually gives up.
- As such, some companies may choose to pursue recovery from the banks involved based on their failure to carry out proper due diligence on corporate customers when allowing them to open bank accounts.
- Companies are also looking at claims against the providers of software sold to reduce or exclude the risk of cyber attacks.
- Our experience has shown that one contributing factor to the attacks is that the bank account opening procedures in Hong Kong tend to be perfunctory.
- Frequently, accounts can be opened using only a copy of the back page of a foreign passport
- Banks will sometimes not conduct full due diligence on business accounts, allowing accounts to be opened by individuals as sole director/shareholder of using shell companies created a few months earlier.
- The Hong Kong Monetary Authority has recently penalised one foreign bank for failures in this respect.
- The Hong Kong courts have seen a substantial increase in the number of injunction applications to freeze bank accounts in an effort to recover funds from fraudulent transfers.
Businesses must remain vigilant and educate employees about how to prevent being victimized by the Business E-mail Compromise and other similar attacks. Several important lessons can be learned from recent attacks:
- Business should require communications other than email when effecting wire transfers and other financial transactions. Insist on either face-to-face meetings or pre-arranged telephone contact between individuals who know each other before starting funds transfers. If email is still required, a second factor of authentication outside of the email band should be implemented to authenticate transaction requests.
- Management should segregate the process for transferring funds or arranging for vital details such as bank account numbers to be sourced from two known individuals by different means.
- Individuals involved in financial transactions should verify all transaction instructions received by email, fax message, or unexpected telephone call. When verifying these transactions, avoid relying entirely on email communication.
- Quick action following a wire transfer significantly increases the likelihood of recovering funds and amounts recovered. If a transfer can be caught while at the first bank before being split up and transferred and retransferred to other financial institutions, it is much more likely to be successfully recovered. Unfortunately, companies frequently avoid acknowledging these incidents right away and, therefore, tend to respond slowly. Inaction or delaying action provides the attackers more time to move funds, making them harder to recover.
- Companies should inquire about and evaluate the need for insurance coverage to protect against potential losses from these attacks.
- Additional information and recommendations are publicly available on the United States Department of Justice website and in its publication entitled “Best Practices for Victim Response and Reporting of Cyber Incidents.”
Implementing proper procedures can significantly reduce the likelihood of these attacks being successful. Norton Rose Fulbright has a global network of lawyers, including a team in Hong Kong, with experience responding to these incidents and, as a result, have successfully recovered millions of dollars for clients that have fallen victim to these attacks. In addition, we can provide training to companies to assist in implementing procedures to protect against these attacks and allow for quick response in the event that an attack is successful.
To subscribe for updates from our Data Protection Report blog, visit the email sign-up page.