Business E-Mail Compromise: Cyber-Crime Hits New Heights
Cyber-attacks and cyber-crimes are becoming increasingly prominent in the news. They take on various forms such as computer viruses, identity theft, illegitimate requests to confirm banking information, invoices from fictitious suppliers, fraud and misappropriation of funds, to name just a few.
One of the latest internet-based scams that merits close scrutiny involves the impersonation of a chief executive and the international transfer of funds. The FBI calls this “Business E-Mail Compromise” (BEC).
While the scenarios involved in these crimes are varied and sophisticated, there are certain essential elements common to this kind of scam, including: a purportedly exceptional situation; the urgent and highly confidential nature of a contemplated transaction; the need for an immediate transfer of funds; and the high degree of confidence seemingly held by the chief executive toward a particular employee, who is “ordered” to act.
Consider the following example. An employee in the company’s financial department receives an email that is apparently from the president of the company, who is currently away on a business trip, as the employee knows. The “president” informs the employee that he needs a substantial amount of money transferred to a foreign bank account as soon as possible so that he can close an exceptional and highly confidential transaction. He has contacted this particular employee, the email states, because he has confidence in him and knows he can count on his complete and utter discretion in connection with this highly strategic corporate transaction. The email contains the necessary wire transfer information and the name of a so-called lawyer who will contact the employee shortly with further information. Sure enough, moments later the employee receives a telephone call from someone purporting to be a lawyer, who supplies further details regarding the transaction as well as the additional psychological pressure necessary to convince the employee to proceed as indicated by his “boss”. These ploys are often perpetrated on a Friday in order to give the fraudsters a weekend’s leeway before anyone in authority starts asking questions.
Thus, all it takes in these situations is one or two emails and telephone calls over a few short minutes to set in motion an extremely harmful operation that can have dramatic consequences for the targeted company. In some cases, the amount of the transfer will be enough to threaten its very viability, forcing it into bankruptcy and entailing the laying off of all its employees.
According to various studies and reports in the media, this scourge has already affected more than 700 businesses in France and several thousand in the United States. In Quebec, an article published in the business section of the website lapresse.ca reported that the Quebec provincial police were, at the time, aware of 19 such cases in the province. In three of these, the targeted companies were defrauded of amounts to the order of $7.5 million. The article also indicated that the Quebec City police were investigating six further such cases at that particular point in time (November-December 2014). Moreover, the Montreal police force, on its website under the heading “Fraud targeting businesses” warns companies about scams of this nature.
Some people may think that this kind of scam could never happen to them, but these international fraudsters are highly sophisticated. The targeted companies are not chosen at random, and the employee who is contacted by them has been carefully selected through social engineering, using information available on the internet, social media and corporate registries regarding the company, its key employees, the writing style and habits of the chief executive (including his or her travel schedule and business trips), the hierarchical status of the targeted employee, etc. All that information can be used in combination to make the scenario seem entirely plausible.
These fraudsters generally use untraceable computers and cell phones, such that once the transfer of funds has been completed, it becomes very difficult to locate the culprits and the misappropriated money. Moreover, the email address initially used is generally almost identical to the actual email address of the chief executive (a comma or a period can make all the difference). The targeted employee thus suspects nothing.
As the old saying goes, “Prevention is better than cure”. Among the preventive measures to consider, first and foremost is employee awareness of the existence of this type of fraud, with a reminder to be constantly vigilant, and routinely sceptical of any unusual request. These measures should be supplemented by the implementation of an internal control process aimed at preventing such frauds that provides for verifying the legitimacy of such requests, limiting access to sensitive information, strictly regimenting the delegation of authority for making transfers of funds and requiring two signatures for the approval of transfers over a certain amount. Consulting with an internal comptroller or other key person such as the company’s in-house counsel can prove essential for verifying the legitimacy of a transfer request. As the latter’s functions include protecting confidentiality, he or she is ideally suited for this role. A review of internal processes, with respect to both financial governance and information-technology systems, is critical. Companies should strive to limit the public disclosure of sensitive information, particularly on the internet and social media, which can be accessed from anywhere in the world. Consultation with legal services providers is essential for structuring the mechanisms that can help limit the risks involved.
In any event, if you believe that your company may have been victimized by such a scam, you should immediately notify your bank and your legal counsel. Filing a complaint with the police is also advisable. The sooner you act, the better chance you have of halting the fraudulent transfer and recovering the funds in question. Otherwise, the investigation of the incident will likely be long and costly, and your chances of a successful outcome fairly remote. That having been said, some arrests were notably made in 2015, including in Israel, in connection with such scams, and international investigations are ongoing in attempt to eradicate or at least reduce this problem.