Business E-mail Compromise Alert
Over the past decade, there has been an escalating financial cyber threat called Business E-mail Compromise (BEC), often referred to as the “Man in the E-mail Scam.” The most recent statistical data from the FBI reveal that there were more than $50 Billion in domestic and international dollars lost from October 2013 to December 2022. In the United States alone, there were more than 137,000 victims, with losses totaling more than $17 Billion in that same period. As you can imagine from the dollars at stake, some of the scams are extremely sophisticated. The scammers target both business and personal e-mail accounts. One variation in the real estate sector, which saw a 72% increase in victim losses from 2020 to 2022, involves the scammer hacking into an attorney’s e-mail account, monitoring communications, and then, at the opportune time, sending a bogus e-mail to opposing counsel requesting a wire transfer or a change in wire instructions to the scammer’s bank account, which is often in the name of either a made up entity or real person/entity that is acting as a money mule. While spoofing a legitimate e-mail address is prevalent, such as JohnSmith@ExampleCompany.com vs. JohnSmith@ExanpleCompany.com, scammers can also use spearphishing e-mails or malware designed to facilitate account takeover. This will allow them to send e-mails from a legitimate business e-mail address if they can take over your account, and they often will change account settings so that any replies automatically go into your deleted items, so you never see them. Once the funds are wired, the money is extremely hard to recover, even after just a day or two.
So, what can you do to protect yourself? For starters, you can ensure your system has two-factor authentication, but a lot of prevention involves using common sense. Never open an e-mail attachment from someone you do not know, do not respond to any solicitations asking you to update or verify account information unless you have personally verified it is legitimate, carefully examine and check the spelling in any e-mail addresses and URLs provided in connection with any financial matters, and verify all wire instructions by contacting a reliable source (you cannot rely upon a phone number provided in what might be a bogus payoff letter). When wiring money, you should also follow up with the recipient to make sure the funds were received so that days do not pass before you find out the wire was diverted. If you do discover a fraudulent transfer, time is critical. First, you should immediately contact your financial institution that sent the wire to request a SWIFT recall along with any necessary indemnification documents. Such documents may vary by institution, but you will most certainly need to provide them. You should ask for the bank’s fraud department, and you should have all the necessary information surrounding the wire. You should then contact the recipient bank, request a freeze on the recipient account, and notify the parties to the transaction. Next, you should file a complaint with the FBI’s Internet Crime Complaint Center (IC3), obtain an IC3 complaint number, and contact your local FBI office. You should also contact your local authorities, file a police report, and contact the Secret Service. The key is to stay vigilant and follow up with the banks to confirm the recall request has been processed. In addition, you should notify your IT department so they can image the system for forensic purposes and then seek to determine the source of the breach. You should also contact your insurance carrier and consult with legal counsel. In fact, given the numerous time-sensitive items that need to be addressed, you may want a trusted attorney to help guide the process, and Bernkopf can certainly assist. You should also review ALTA’s Rapid Response Plan for Wire Fraud Incidents, which provides a good overview of the recommended action items.
Jason A. Manekas may be reached by email at jmanekas@bernkopflegal.com or by phone at 617.790.3408.
