Esquemas de fraude en el correo electrónico
Page Article
El Business Email Compromise (BEC) es una sofisticada estafa que tiene como objetivo a las empresas que trabajan con proveedores extranjeros y/o empresas que realizan regularmente pagos por transferencia bancaria. La estafa se lleva a cabo comprometiendo cuentas de correo electrónico de empresas legítimas mediante técnicas de ingeniería social o de intrusión informática para realizar transferencias de fondos no autorizadas.
What to do IF & WHEN a BEC Occurs
Have a Business Continuity (BC) Plan for IF and WHEN a BEC occurs.
- IMMEDIATELY
- Contact your Banking team via Telephone AND email. KNOW WHO TO CONTACT, Sales, Service, ALL.
- Ensure ALL Employees have Banking CONTACT INFO.
- Inform Banking Team of the transaction. Have sufficient details to relay what transpired.
- Provide a screen shot of the outbound wire if possible.
- Once informed, Bank Team should alert the Corporate Fraud Division of the transaction.
- Beneficiary Bank
- Request that a wire recall be submitted. The financial institution should submit a wire recall on Customer’s behalf to the with a message indicating that the wire was unauthorized or as a result of a BEC. Action taken, is in an attempt to facilitate any recovery.
- Gather all relevant information associated with the business deal (i.e. wire instruction emails) to provide the Financial Institution’s Fraud Division and complete any unnecessary forms as requested (i.e. affidavits).
- Complete an online FBI, Internet Complaint Form (IC3) or contact the FBI directly immediately. You may file a police report with your local police department.
- IF and WHEN the financial institution successfully recovers funds (if available funds), funds will be returned to the originating account.
Desarrollar un plan de respuesta a los CEBs
Cuanto antes denuncie un ataque BEC, más posibilidades tendrá de recuperar las pérdidas. Asegúrese de tener un plan para notificar inmediatamente el fraude a su institución financiera.
- Para transferencias internacionales de más de 50.000 dólares, llame a su oficina regional del FBI(https://www.fbi.gov/contact-us/field-offices) y a la policía local. El FBI ofrece un proceso de Financial Fraud Kill Chain (FFKC) para ayudar a recuperar grandes transferencias internacionales robadas en Estados Unidos. El FFKC está pensado para ser utilizado como otra posible vía para que las instituciones financieras estadounidenses recuperen los fondos de las víctimas.
- Las transferencias electrónicas que se produzcan fuera de estos umbrales deben notificarse igualmente a las fuerzas del orden (http://www.ic3.gov/), pero el FFKC no puede utilizarse para devolver los fondos fraudulentos.
- El plan también debe incluir la participación rápida de su personal de TI y de seguridad de la información para determinar si ha habido un compromiso de la red o del correo electrónico.
- Prepare any reports and notifications required by regulation, law, or policy and deliver as appropriate.
- Prepare informes sobre las lecciones aprendidas y socialícelos según corresponda, de acuerdo con las políticas de respuesta a incidentes de su centro.
- Share incident details and lessons learned with appropriate management, board-level, or committee-level members.
- Implementar controles adicionales para minimizar el riesgo de futuros ataques.
How can you defend your company from BEC?
- Businesses are encouraged to enhance employee fraud awareness, to educate employees on how BEC scams and other similar attacks work. While employees are a company’s biggest asset, they can also be its weakest link when it comes to security. Commit to training employees, review company policies, and develop good security habits.
- Carefully scrutinize all emails. Be wary of unsolicited or irregular emails sent by high-level executives, as they can be used to trick employees into acting with urgency. Be extra cautious of emails requesting funds, to determine if the requests are out of the ordinary.
- Verify any changes in vendor payment instructions, by using a secondary sign-off by company personnel.
- Stay updated on customers’ habits, including the details, and reasons behind payments.
- Conduct call backs (numbers on file not email) on all payment requests.
- Prohibit access to personal emails from business computers. Personal email accounts are known for receiving spam emails that contain potential malware.
- Encourage employees to only use business computers for business use and refrain from visiting unknown sites.
- Conduct thorough verification of new business clients. Use caution with Customers, who only want to communicate via email and the WhatsApp application.
- Segregate employee job duties to avoid collusion.
- Secure your business network security and email accounts. Microsoft DUAL authentication should be enabled.
- If you have reason to believe that you are a victim of a BEC, contact your Bank as soon as possible and report the incident to the FBI and/or local police department.
- Obtain Cyber/Fraud Insurance Coverage.
Recomendaciones y mitigaciones
Mitigación no técnica
Seguridad de la ingeniería social
- Tenga cuidado con la información que comparte en línea o en las redes sociales. Al compartir abiertamente cosas como los nombres de las mascotas, las escuelas a las que asistió, los enlaces a los miembros de la familia y su cumpleaños, puede dar a un estafador toda la información que necesita para adivinar su contraseña o responder a sus preguntas de seguridad.
- Tenga cuidado con lo que publica en sitios de redes empresariales como LinkedIn y en el sitio web de su empresa, especialmente la información sobre quién tiene qué tareas específicas.
Formación y sensibilización
- Alertas para empleados y clientes sobre estafas de phishing dirigidas a organizaciones o grupos de interés específicos.
- Recordatorios de las políticas vigentes, como los cambios de cuenta.
- General information on phishing tactics posted to an organization web site or emails.
- Establezca un programa de pruebas para los empleados con intentos de phishing y BEC que parezcan provenir de sus líderes senior y socios comerciales de confianza.
Establecer la comunicación fuera de banda
- Utilice una forma de comunicación alternativa al correo electrónico, como una llamada telefónica, para verificar las transacciones que superen una determinada cantidad de dinero. Y establezca este proceso de verificación al principio de la relación comercial. No utilice el correo electrónico para establecer el proceso de verificación.
Normalizar la validación de los pagos y los cambios de cuenta
- Establish with your customers and business partners how changes in account information will be communicated and validated. Also, confirm how you expect them to validate changes to your banking information.
Confirmar los cambios significativos o fuera de norma
- Tenga cuidado con los cambios repentinos en las prácticas comerciales. Por ejemplo, si un proveedor pide repentinamente que se le contacte en una dirección de correo electrónico personal cuando toda la correspondencia oficial anterior ha sido en un correo electrónico de la empresa, verifique por otros canales que sigue comunicándose con su socio comercial legítimo.
- Tenga especial cuidado si el solicitante le presiona para que actúe con rapidez.
- Verify payment and purchase requests in person if possible or by calling the person to make sure it is legitimate. You should verify any change in an account number or payment procedures with the person making the request.
- Esté atento a las solicitudes sospechosas, como un cambio en el lugar de pago de un proveedor.
- Siga los controles para la validación de la información de pago nueva o revisada.
- Exprese su preocupación si un pago le parece sospechoso, incluso después de realizar una devolución de llamada.
- Sospeche mucho si un proveedor ofrece razones vagas para los cambios en una cuenta nueva, como auditorías fiscales o eventos actuales, por ejemplo, "Debido a COVID-19, necesitamos actualizar nuestra información de pago..."
Crear una política de medios sociales
- Construct, implement and enforce a social media policy that prohibits sharing details about company roles and responsibilities, so cyber criminals cannot develop a picture of your corporate structure, including addresses to target your employees.
Envíe un correo electrónico a
- No hagas clic en nada de un correo electrónico o mensaje de texto no solicitado que te pida que actualices o verifiques la información de la cuenta. Busque el número de teléfono de la empresa por su cuenta (no utilice el que le proporciona un posible estafador). Busque el número en una fuente externa y llame a la empresa para preguntar si la solicitud es legítima.
- Compruebe periódicamente la configuración de las "reglas" de su cuenta para asegurarse de que nadie ha configurado el reenvío automático de sus correos electrónicos.
- Reenvío de correo electrónico frente a respuesta de correo electrónico. En lugar de pulsar el botón de respuesta en los correos electrónicos importantes, utiliza la opción de reenvío y escribe la dirección de correo electrónico correcta o selecciónala en tu libreta de direcciones para asegurarte de que estás utilizando la dirección de correo electrónico real.
- Tenga cuidado con las respuestas de fuera de la oficina que dan demasiados detalles sobre cuándo sus ejecutivos están fuera de la mezcla.
- Examine cuidadosamente la dirección de correo electrónico, la URL y la ortografía utilizada en cualquier correspondencia. Los estafadores utilizan pequeñas diferencias para engañar a su ojo y ganarse su confianza.
- Tenga cuidado con lo que descarga. No abra nunca un archivo adjunto de alguien que no conozca y desconfíe de los archivos adjuntos que le reenvíen.
- Evite hacer clic en enlaces o archivos adjuntos de remitentes desconocidos. Si lo hace, podría descargar malware en los ordenadores de su empresa, lo que le haría vulnerable a un hackeo.
Anti-phishing strategies for AI-written emails
- Sandboxing for Word documents and other attachments to keep them away from corporate networks.
- Web traffic inspection through a secure web gateway to protect both on-prem and remote users.
- Secure email gateways.
- Check URLs for malicious content or typosquatting.
- Deploy email security protocols such as DMARC, DKIM, and SPF, which help prevent domain spoofing and content tampering.
- Provide an easy way to report suspicious emails.
Qué buscar en un correo electrónico:
- Suspicious email address of the sender. The email address of the sender(s) can mimic legitimate businesses. Threat actors often leverage email addresses that resemble reputable organizations but alter or omit a few letters and numbers.
- Saludos y firmas genéricas. La falta de información de contacto en el bloque de la firma de un correo electrónico, o los saludos genéricos como "Señor/Señora" o "Estimado cliente" son fuertes indicadores de un correo electrónico de phishing.
- Faltas de ortografía y diseño. La estructura extraña de las frases, las faltas de ortografía, la mala gramática y el formato incoherente son fuertes indicadores de un posible intento de phishing.
- Spoofed websites and hyperlinks. When hovering a cursor over links in the body of an email, if links do not match, the link may be spoofed. Malicious variations from legitimate domains leverage different spellings or domains such as .net, vs .com. Other tactics include the usage of URL shortening services to conceal the true destination of links.
- Archivos adjuntos sospechosos. Los correos electrónicos no solicitados que piden a los usuarios que abran o descarguen archivos adjuntos son mecanismos habituales de entrega de malware.
Indicadores comunes (banderas rojas):
- Las instrucciones de transacción enviadas por correo electrónico dirigen el pago a un beneficiario conocido; sin embargo, la información de la cuenta del beneficiario es diferente de la que se utilizaba anteriormente.
- Las instrucciones de transacción enviadas por correo electrónico dirigen las transferencias a una cuenta bancaria extranjera que ha sido documentada en las quejas de los clientes como el destino de las transacciones fraudulentas.
- Las instrucciones de transacción enviadas por correo electrónico dirigen el pago a un beneficiario con el que el cliente no tiene un historial de pagos ni una relación comercial documentada, y el pago es de un importe similar o superior a los pagos enviados a beneficiarios a los que el cliente ha pagado históricamente.
- Las instrucciones de transacción enviadas por correo electrónico incluyen marcas, afirmaciones o lenguaje que designa la solicitud de transacción como "Urgente", "Secreta" o "Confidencial".
- Las instrucciones de transacción enviadas por correo electrónico se entregan de manera que la institución financiera tenga un tiempo u oportunidad limitados para confirmar la autenticidad de la transacción solicitada.
- Las instrucciones de transacción enviadas por correo electrónico proceden de un empleado del cliente que es una persona recién autorizada en la cuenta o es una persona autorizada que no ha enviado previamente instrucciones de transferencia.
- A customer’s employee or representative e-mails financial institution transaction instructions on behalf of the customer that is based exclusively on e-mail communications originating from executives, attorneys, or their designees. However, the customer’s employee or representative indicates he/she has been unable to verify the transactions with such executives, attorneys, or designees.
- Un cliente envía por correo electrónico solicitudes de transacción para realizar pagos adicionales inmediatamente después de un pago exitoso a una cuenta que no ha sido utilizada previamente por el cliente para pagar a sus proveedores/vendedores. Este comportamiento puede ser coherente con un delincuente que intenta emitir pagos adicionales no autorizados al enterarse de que un pago fraudulento ha tenido éxito.
- A wire transfer is received for credit into an account; however, the wire transfer names a beneficiary that is not the account holder of record. This may reflect instances where a victim unwittingly sends wire transfers to a new account number, provided by a criminal impersonating a known supplier/vendor while thinking the new account belongs to the known supplier/vendor, as described in the above BEC Scenario 3. This red flag may be seen by financial institutions receiving wire transfers sent by another financial institution as the result of e-mail-compromise fraud.
Mitigaciones técnicas
- Set up two-factor (or multi-factor) authentication on any account that allows it, and never disable it. TFA/MFA aims to protect users if authentication credentials have been captured. The nature of changing tokens limits the attacker's ability to leverage captured credentials.
- Evite las cuentas de correo electrónico gratuitas basadas en la web. Establezca un nombre de dominio de la empresa y utilícelo para crear direcciones de correo electrónico formales para sus empleados.
- Etiquete los correos electrónicos externos para evitar la suplantación de los empleados.
- Asegúrese de que los correos electrónicos procedentes de fuera de la organización se marcan automáticamente antes de ser recibidos.
- Prohibit automatic forwarding of emails to external addresses. Detect email inbox forwarding rules that send all or selected emails to an external email address.
- Add an email banner to messages coming from outside your organization. This is a simple way to highlight that extra scrutiny is needed for external emails. It can also identify when an adversary creates a fraudulent domain that looks similar to a healthcare and public health sector (HPH) legitimate domain.
- Prohibir los protocolos de correo electrónico heredados, como POP, IMAP y SMTP1, que pueden utilizarse para eludir la autenticación multifactor.
- Asegúrese de que los cambios en el inicio de sesión y la configuración del buzón se registran y se conservan durante al menos 90 días.
- Activar las alertas de actividades sospechosas, como los inicios de sesión en el extranjero.
- Enable security features that block malicious emails, such as anti-phishing and anti-spoofing policies.
- Configure el Marco de Políticas de Remitentes, el Correo Identificado por Claves de Dominio y la Autenticación de Mensajes Basada en el Dominio y la Conformidad para evitar la suplantación de identidad y validar el correo electrónico.
- Desactivar la autenticación de cuentas heredadas.
- Develop and maintain a policy on suspicious e-mails for end users; Ensure suspicious e-mails are reported.
- Aplicar parches/actualizaciones inmediatamente después del lanzamiento/prueba; desarrollar/mantener el programa de parches si es necesario.
- Implement an Intrusion Detection System (IDS); Keep signatures and rules updated.
- Implantar filtros de spam en las pasarelas de correo electrónico; mantener las firmas y reglas actualizadas.
- Block suspicious IP addresses at the firewall; Keep firewall rules updated.
- Implantar tecnología de listas blancas para garantizar que sólo se permite la ejecución de software autorizado.
- Implement access control based on the principle of least privilege.
- Implement and maintain anti-malware solutions.
- Llevar a cabo el endurecimiento del sistema para garantizar las configuraciones adecuadas.
- Desactivar el uso de SMBv1 (y todos los demás servicios y protocolos vulnerables) y exigir al menos SMBv2.
- Informe de autenticación y conformidad de mensajes basados en el dominio (DMARC). El protocolo DMARC permite a los propietarios de dominios especificar qué método de autenticación se utiliza al enviar correos electrónicos. DMARC ayuda a los receptores de correo electrónico a determinar si el supuesto mensaje "se ajusta" a lo que el receptor sabe sobre el remitente. Si no es así, se proporciona orientación sobre cómo manejar el mensaje.
- Proteja su dominio web. Considere la posibilidad de contratar una empresa que le notifique de los dominios web que se han registrado para que parezcan engañosamente como el suyo; los ciberdelincuentes pueden utilizar dominios parecidos en ataques BEC para engañar a sus empleados o socios comerciales para que desvíen fondos.
- Minería de datos. Minería de datos de informes de cajas de abuso/phishing y uso de la inteligencia obtenida para prevenir futuros ataques.
- Passwords.
- Review password policies to ensure they align with the latest NIST guidelines and deter the use of easy-to-guess passwords.
- Review IT helpdesk password management related to initial passwords, password resets for user lockouts, and shared accounts.
- Regularly audit user passwords against common password lists, using free or commercial tools.
- Provide pragmatic advice to users on how to choose good passwords.
Procedimientos adecuados de devolución de llamadas
An appropriate process requires an employee, typically a payments staff member, to pick up the phone and validate new payment requests, requests to establish a new bank account, changes to payment instructions, and changes to contact information.
- Callbacks should be made to the actual person making the request using a phone number retrieved from a system of record when setting up a new account, processing a request for payment, changing payment instructions, or changing contact information. Be wary of vendors who frequently change payment instructions. Fraudsters will sometimes provide several different accounts to victims during a BEC fraud attempt. Confirm all of the account details, including the new account number.
- No confirme las instrucciones de pago sólo por correo electrónico. Realice siempre una devolución de llamada utilizando un número de teléfono de un sistema de registro a la persona que realiza la solicitud.
- Si la devolución de la llamada no forma parte actualmente del proceso de control de pagos de su empresa, intente ponerla en práctica o traslade el problema a alguien que pueda hacerlo.
- If you receive a call from your financial institution asking you to validate an unusual payment, take it seriously. It could be your last chance to stop a fraudulent payment before it’s too late. Double-check that your controls have been properly executed. Do not assume a callback has been performed. Pay close attention to the information provided and reconfirm that your organization performed all applicable controls, including a callback. It is common to confirm payments as valid only to later report them as fraudulent.
- Entienda que una vez que se ha liberado un pago, no hay garantías de que se recuperen los fondos.
- Mantenga sus datos de contacto actualizados por si su entidad financiera necesita ponerse en contacto con usted.
- Do not trust payment instructions provided by a business partner. Always validate that whoever is providing the instructions has performed a separate validating callback to the actual requestor.
Métodos BEC
- Spoof an email account or website. Slight variations on legitimate addresses (john.kelly@examplecompany.com vs. john.kelley@examplecompany.com) fool victims into thinking fake accounts are authentic. The spoofed emails can be made to look like they are coming from anyone. Scammers target employees with transactional authority (accounts payable, check signers, authorized individuals) or access to systems managing PII/W-2 data. Emails often display a sense of urgency culminating in a request for money transfers, data, or gift cards.
- Phishing emails. These messages look like they’re from a trusted sender to trick victims into revealing confidential information. That information lets criminals access company accounts, calendars, and data that gives them the details they need to carry out the BEC schemes. Emails attempt to entice users to click on a link that will take the user to a fraudulent website that appears legitimate or clicks on malicious attachments. This is an attempt by attackers to solicit personal information, such as account usernames and passwords, these fraudulent websites may also contain malicious code.
- Cloud-based email services. Cybercriminals are targeting organizations that use popular cloud-based email services to conduct Business Email Compromise (BEC) scams. The scams are initiated through specifically developed phish kits designed to mimic the cloud-based email services in order to compromise business email accounts and request or misdirect transfers of funds. Many phishing kits identify the email service associated with each set of compromised credentials, allowing the cybercriminal to target victims using cloud-based services. Upon compromising victim email accounts, cyber criminals analyze the content of compromised email accounts for evidence of financial transactions. Often, the actors configure the mailbox rules of a compromised account to delete key messages. They may also enable automatic forwarding to an outside email account. Using the information gathered from compromised accounts, cyber criminals impersonate email communications between compromised businesses and third parties, such as vendors or customers, to request pending or future payments are redirected to fraudulent bank accounts. Cybercriminals frequently access the address books of compromised accounts as a means to identify new targets to send phishing emails. As a result, a successful email account compromise at one business can pivot to multiple victims within an industry.
While most cloud-based email services have security features that can help prevent BEC, many of these features must be manually configured and enabled. Better protect yourself from BEC by taking advantage of the full spectrum of protections that are available. Depending upon the provider, cloud-based email services may provide security features such as advanced phishing protection and multi-factor authentication that is either not enabled by default or are only available at additional cost.
- Malware. Malicious software can infiltrate company networks and gain access to legitimate email threads about billing and invoices. That information is used to time requests or sends messages so accountants or financial officers don’t question payment requests. Malware also lets criminals gain undetected access to a victim’s data, including passwords and financial account information. This data is then used to avoid raising suspicions when a falsified wire transfer is submitted
- The bogus invoice scheme. A business in a long-standing relationship with a supplier is asked to wire funds for settling invoice payments to a fraudulent account. Emails sent to employees with transactional authority (accounts payable, check signers, authorized individuals). Threat actors may also send a link to what appears to be an invoice. The link may transmit sensitive information to the attackers or download malware. Threat actors target businesses with established relationships with a vendor or supplier. Leveraging fake invoices, threat actors request payment through social engineering to a financial account under their control.
- Fraude al director general. La cuenta de correo electrónico del director general es suplantada o pirateada, y se envía una solicitud de transferencia urgente de fondos al empleado encargado de procesar estas solicitudes o, a veces, directamente al banco. Se basa en que los empleados ejecuten las órdenes de la alta dirección sin cuestionarlas. Suele llevarse a cabo en circunstancias específicas, como cuando el director general está fuera de la oficina.
- Cuenta de correo electrónico de un empleado comprometida. La cuenta personal de un empleado -utilizada tanto para la comunicación personal como para la empresarial- es pirateada y explotada para enviar solicitudes a una lista de proveedores identificados a partir de su lista de contactos empresariales, solicitando el pago de facturas a una cuenta bancaria fraudulenta. Esta estafa es difícil de identificar a menos que un proveedor se ponga en contacto directamente con la empresa para solicitar el pago.
- Attorney impersonation. The con artists pose as lawyers or representatives of a law firm. They contact either an employee or the CEO of the company via phone call or email and claim to possess confidential information. They then push the target to act quickly or secretly in transferring funds. The scam usually takes place at the end of business days or weeks, when people are more vulnerable and ready to act quickly.
- Robo de datos. Se piratea la cuenta de correo electrónico de un empleado y se utiliza para enviar una solicitud a otro empleado de recursos humanos, en la que no se pide dinero, sino información personal identificable (PII) o declaraciones de impuestos.
- Gift card. In a typical example, a victim receives a request from their management to purchase gift cards for a work-related function or as a present for a special personal occasion. The gift cards are then used to facilitate the purchase of goods and services which may or may not be legitimate. Some of these incidents are combined with additional requests for wire transfer payments. Sectors including technology, real estate, legal, medical, distribution and supply, and religious organizations have been targeted by this scam.
- Direct deposit: In this variant, the scammers pose as the victim and email a direct deposit change request to the finance or human resources department. This results in the employee's paycheck being redirected to an account controlled by the scammer.
- Vendor account change request: This variant is similar to the Direct Deposit Variant, although the request spoofs a vendor and requests the State, local, tribal, and territorial governments (SLTT) government modifies the vendor’s payment account. The next payment to the vendor is then sent to the updated account number, which belongs to the scammer.
- Vendor purchase order: In this scheme, the scammers obtain publicly available purchase order forms and change the contact details on the forms to include different telephone numbers and email addresses. Occasionally, scammers create copycat websites to authenticate the contact information included on fraudulent purchase orders. The scammers submit the purchase order to a vendor, have the goods shipped, and sell them for profit while the bill goes to the affected entity.
- Financial theft: In this variant, the scammers pose as an employee or senior official and request the department immediately wires money for a special purpose. Occasionally, the spoofed email will not directly reference a wire transfer, but rather specified that "transactions" need to be "set up and processed."
Esquemas de compromiso de cuentas de correo electrónico (EAC)
A diferencia de los BEC, los esquemas EAC se dirigen a los individuos en lugar de a las empresas. Los individuos que realizan grandes transacciones a través de instituciones financieras, entidades de crédito, empresas inmobiliarias y bufetes de abogados son los objetivos más probables de este tipo de esquema. Los esquemas EAC suelen adoptar las siguientes formas:
- Lending/Brokerage Services: A criminal hacks into and uses the e-mail account of a financial services professional (such as a broker or accountant) to e-mail fraudulent instructions, allegedly on behalf of a client, to the client’s bank or brokerage, to wire-transfer client’s funds to an account controlled by the criminal.
- Real Estate Services: A criminal compromises the e-mail account of a realtor or of an individual purchasing or selling real estate, for the purposes of altering payment instructions and diverting funds of a real estate transaction (such as sale proceeds, loan disbursements, or fees). Alternately, criminals hack into and use a realtor’s e-mail address to contact an escrow company, instructing it to redirect commission proceeds to an account controlled by the criminal.
- Legal Services: A criminal compromises an attorney’s e-mail account to access client information and related transactions. The criminal then e-mails fraudulent transaction payment instructions to the attorney’s financial institution. Alternatively, the criminal may compromise a client’s e-mail account to request wire transfers from trust and escrow accounts the client’s attorney manages.
BEC y criptomonedas
A cryptocurrency is a form of virtual asset that uses cryptography (the use of coded messages to secure communications) to secure financial transactions and is popular among illicit actors due to the high degree of anonymity associated with it and the speed at which transactions occur.
Currently, there are two known iterations of the BEC scam where cryptocurrency was utilized by criminals. In both situations, the victim is unaware that the funds are being sent to be converted to cryptocurrency.
- A direct transfer to a cryptocurrency exchange (CE) - This scenario is where the fraudster alters wire transfer info and redirects payment to a cryptocurrency exchange (CE).
- "Second Hop" transfer to a cryptocurrency exchange (CE) - Uses victims of other cyber-enabled scams such as Extortion, Tech Support, and Romance Scams. Often, these individuals provided copies of identifying documents such as driver's licenses, passports, etc., that are used to open cryptocurrency wallets in their names. This scenario is where the fraudster opens a cryptocurrency wallet in another fraud victim's name. The fraudster then alters a wire transfer in a BEC scam and sends the funds to the other victim's falsified cryptocurrency account and cashes out. Making it hard to trace the movement of funds.
Esquemas de compromiso de cuentas de correo electrónico (EAC)
Los esquemas BEC y EAC son similares y, por lo tanto, pueden mostrar un comportamiento sospechoso similar, que puede ser identificado por una o más de las siguientes banderas rojas:
- Las instrucciones de transacción aparentemente legítimas de un cliente enviadas por correo electrónico contienen un lenguaje, un calendario y unos importes diferentes a los de las instrucciones de transacción previamente verificadas y auténticas.
- Las instrucciones de la transacción proceden de una cuenta de correo electrónico muy parecida a la de un cliente conocido; sin embargo, la dirección de correo electrónico ha sido ligeramente alterada añadiendo, cambiando o eliminando uno o más caracteres.
- Multiple sets of wire instructions or change of wiring instructions provided. WIRE INSTRUCTIONS SHOULD NEVER CHANGE!
- Poor grammar or odd use of terms / phrases used in the body of the email.
- Sense of urgency – funds must be wired immediately.
- Seller contacts Title Company via email, with payment instruction changes as opposed to the lender.
- Recipient bank account doesn’t make sense.
- Payee not a party to the transaction
- Payee is law firm not involved in the transaction
- Payee in an unrelated location (another state)
- Beneficiary Bank is not a local bank
- Email sent outside of normal business hours or using 24-hour clock (22:00 hrs. instead of 10:00pm).
- Unexpected email with link to a document – likely a link with malware.
- Sender’s email is similar to the legitimate email address. The changed email address could be often subtle (hover cursor over email address).
Por ejemplo:
- Dirección de correo electrónico legítima - john-doe@abc.com
- Direcciones de correo electrónico fraudulentas - john_doe@abc.com, john-doe@bcd.com
Example of a Typical Business Email Compromise Case:
Customer initiates a $250,000 wire to Beneficiary Bank to a Lender. Proceeds are for a Mortgage Pay-off and are to be received by the Mortgage Lender. After a period of time, the Customer is contacted by the Lender, informing them of non-receipt of the loan payoff. Customer then contacts the Bank 30 days later, indicating that they believed they were a victim of a fraud and request a wire recall. The Beneficiary Bank could not honor the wire recall, because there were no longer funds in the Beneficiary Bank Account. The Customer incurs the loss of $250,000.
How the Scam was Executed: Prior to the closing, the Customer receives a Modified Closing Document (CD) via email from whom he thinks, is the Buyer/Borrower. The person(s) impersonating the Borrower indicates that the Lender was going to be sending via FAX a modified CD “as a result of a payoff error” (Red Flag). The Fraudster also claims the payoff amount would remain the same. The impersonator sends via email, the modified CD to the Customer. The wire is processed with the new instructions and sent to a bank account controlled by the Fraudster(s), per the fraudulent wire instructions. As mentioned, after 30 days, the Lender contacts the Customer to verify the status of the payoff. At this point it is determined that the updated instructions were not sent from the Borrower’s legitimate email, as it was spoofed by the Fraudster.
Account Take Overs can result from the compromise of account credentials and email accounts.
Case Scenario: Fraudster has obtained the account number and online banking log in credentials. They have also compromised the customer’s email account. They change the password on the account, with the verification code being sent to the email address on file. The fraudster has taken over the email account and can intercept bank authorization codes. Once the fraudster has access to the account, they can originate a payment (i.e., wire, ACH) and have the passcode sent to the email address on file. In some cases where dual control of wires is in place, the fraudster may steal the credentials of both employees.
How could this happen?
- Shared credentials
- Microsoft Outlook dual authentication disabled
- Malware
- Phishing
- Dual Control is not really dual control (one person)
- Lax security
There has been a recent move to go back to utilizing FAXING as a method of sharing and obtaining banking and wire information between Settlement Agents and Buyers/Sellers. Although using FAX technology may negate systemic hacking, remember that if email exchange was used in any part of the communication chain, using faxes to share banking information is open to cyber fraud.
Case Study
- Prior to closing, Seller of property communicated via email with the Title/Settlement Company on obtaining their FAX number to provide Loan Payoff Information for their loan.
- 2 weeks prior to the closing the Seller faxed the Pay Off Information they received from their Lender directly to the Settlement Company. Banking Information included the account title: Payoff Clearing Account
- 2 Days prior to the Closing the Settlement Company received an updated FAX “From the Seller” which had a change to the pay Off Account Number and Information at the same Lender Bank: Payoff Toneberg Enterprise
- Settlement Company used the banking information from the second FAX and wired $390,000.00 to the Lender Bank to “Pay Off” the Seller’s Mortgage.
- Cyber Fraudsters compromised the Seller’s email account and followed the communication between the Settlement Company and The Seller. They gained access to the original payoff letter the Seller received from the Lender and created an exact duplicate of the original FAX. The second FAX made no reference of being an update.