Rash of Email Fraud Schemes Prompt FinCEN to Issue Advisory
A spate of email fraud schemes involving stolen consumer information and financial institutions being duped into conducting wire transfers has prompted the Financial Crimes Enforcement Network (FinCEN) to issue an advisory Sept. 6 in an effort to thwart the illegal activity.
This type of fraud, which involves impersonating victims, comes in two forms: Business Email Compromise (BEC), which targets banks’ commercial customers, and Email Account Compromise (EAC), which targets consumers’ personal accounts, according to FinCEN. BEC and EAC schemes depend on criminals instructing FIs to execute wire transfers that often are irreversible, rendering banks and their customers unable to cancel payment or recall funds. “BEC and EAC schemes are among the growing trend of cyber-enabled crime adversely affecting financial institutions. Since 2013, there have been approximately 22,000 reported cases of BEC and EAC fraud involving $3.1 billion,” according to the advisory.
The advisory details different scenarios for BEC and EAC schemes; however, both share three steps:
- Fraudsters access a victim’s e-mail account through social engineering—tricking people into revealing information—or planting malware into a victim’s system. Criminals then use the victim’s e-mail account to obtain information on the victim’s financial institutions and account details, among other information.
- Criminals use the victim’s information to e-mail fraudulent wire transfer instructions to an FI as though it came from the victim. Fraudsters will use either the victim’s actual e-mail account or create a fake e-mail account resembling the victim’s e-mail.
- FIs are then tricked into conducting wire transfers that appear legitimate but are unauthorized. The fraudulent transaction instructions direct the wire transfers to the criminals’ domestic or foreign bank accounts. Banks in Asia—particularly in China—are common destinations for these transactions, according to FinCEN.
FinCEN suggests financial institutions employ a multi-faceted transaction verification process to guard against BEC and EAC fraud. For example, FIs can verify the authenticity of suspicious e-mailed transaction payment instructions by using multiple means of communication or by contacting others authorized to conduct the transaction. The agency also provides a list of red flags to signal potential fraud, including emailed transaction instructions directing payment to known recipients; however, their account information is different from what was previously used, or emailed instructions directing wire transfers to a foreign bank account that has been documented in customer complaints as a destination of fraudulent transactions.