FinCEN Issues Updated Advisory on Business Email Compromise Fraud

On July 16, the U.S. Treasury’s Financial Crimes Enforcement Network (FinCEN) issued an update to the September 6, 2018 advisory, "Advisory to Financial Institutions on E-mail Compromise Fraud Schemes." The updated advisory indicates a sharp rise in business email compromise (BEC) fraud across financial services and other industries.

BEC fraud involves attackers gaining access to an email account and spoofing the account owner’s identity for fraudulent purposes such as wire theft or other transfers of funds. Per FinCEN's advisory, since 2016, over 32,000 reports of BECs have been received by FinCEN, with attempted theft totals reaching nearly $9 billion.

The updated FinCEN advisory includes updated operational definitions of these crimes. BEC indicates any use of email to misdirect any kind of payment or transmittal of something of value. BEC typically targets the accounts of financial institutions or customers of institutions that are financial entities. Email account compromise (EAC) targets personal email accounts belonging to an individual.

Financial institutions are a prime target for BEC, with attacks typically spoofing bank domains and using falsified SWIFT information, among other methods. Other industries are likewise seen as frequent victims. Government organizations have been targeted, with fraud gaining access to funds for pensions, payrolls and contracted services. Educational institutions are a prime target, with over $50 million in recent attacks aimed at accessing high dollar transactions of donors, tuition payments, grants, etc. Real estate is an additional frequent target, due to the frequent transfers in that industry of large sums, and its lack of strong identification processes in financial transactions.

The FinCEN advisory includes the following trends and figures that reflect the growing rates of BEC fraud and its impact:

• Instances of BEC reported to FinCEN have risen from about 500 reports per month in 2016 to over 1,100 a month in 2018.
• BEC damage has risen from $110 million monthly in 2016 to over $300 million monthly in 2018.
• BEC targeting has spread across industries, with attacks hitting education, manufacturing and construction, commercial services, and real estate, in addition to financial services.
• Arrests related to BEC have risen, with 42 in the U.S., 29 in Nigeria, as well as arrests in Canada, Mauritius and Poland. 15 money mules have been charged as well.

ACA Guidance

In the updated risk advisory, FinCEN indicates that the chances for recovery of fraudulently wired funds is significantly greater when reported to law enforcement within 24 hours. Affected firms are advised to contact their local FBI office, the FBI’s Internet Crime Complaint Center, and the nearest United States Secret Service field office. Additionally, financial institutions are required to file Suspicious Activity Reports (SARs) at any instance of attempted BEC, whether the fraud attempt was successful or not. Further, a Financial Institutions Toll Free Hotline (866-556-3974) has been set up to report suspicious activities that may relate to terrorist activities.

ACA notes that it frequently is contacted after a BEC scam. Commonalities include misconfigured protections of Microsoft^® Office 365^® tenants (e.g., multi-factor authentication bypass mechanisms), and poor cash controls. Multiple firms that have contacted ACA directly have experienced multi-million dollar losses from BEC scams.

ACA recommends that firms take the following actions to prevent BEC fraud:

• Immediately evaluate and strengthen existing procedures for wire transfers
• Ensure that callbacks and voice identification are required elements in any significant transfer of funds or information
• Increase staff awareness of social engineering techniques (e.g., phishing, spoofing) via mandatory training exercises
• Include identification and prevention in training material while encouraging staff to challenge questionable, pressured orders that seem to come from organization higher-ups
• Ensure that similar strengthened procedures for business email security and fund transfer security are in place at third-party vendors, portfolio companies, or other related institutions

How We Help

We provide the following solutions that can help your firm ensure strong security preparedness, prevention, and response regarding business email compromise fraud:

• Microsoft^® Office 365^® security assessment
• Phishing testing and cyber awareness
• Cybersecurity and technology risk assessments
• Penetration testing and vulnerability assessments
• Policies, procedures and governance assistance
• Cyber incident response planning
• Vendor diligence and management
• Threat intelligence

Contact Us

For More Information

If you have any questions, please contact your ACA Aponix consultant or email us at info@acaaponix.com