It’s a business’ worst nightmare. An e-mail scam directed at one of or several unknowing finance employees wreaks havoc on a company’s bottom-line leading to thousands or potentially millions of dollars in losses. Unfortunately, scams like and similar to this happen far too often all over the world and Cambridge is no exception.
Earlier this month, a company based in Kendall Square was schemed out of more than $300,000 through an e-mail scam. A financial controller received multiple e-mails believed to be from the company’s CEO asking to wire more than $300,000 in three separate wire transfers to an overseas bank. Believing that the e-mail was authentic, money was wired and it wasn’t until the employee and the CEO spoke to one another in person that the company became aware of the scam. Within the past year, Cambridge Police Detectives also worked an e-mail scam that cost a Cambridge Park Drive company approximately $1.5 million and another on First Street that was nearly $250,000.
The Business E-mail Compromise (BEC) is a sophisticated scam targeting businesses working with foreign suppliers and/or businesses that regularly perform wire transfer payments. The victims of the BEC scam range from small to large businesses. These businesses may purchase or supply a variety of goods, such as textiles, furniture, food, and pharmaceuticals. This scam impacts both ends of the supply chain, as both supplies and money can be lost and business relations may be damaged. Between October 1, 2013 and December 1, 2014, the FBI estimates that businesses lost approximately $215 million due to e-mail schemes.
It is still largely unknown how victims are selected; however, the subjects monitor and study their selected victims prior to initiating the BEC scam. The subjects are able to accurately identify the individuals and protocol necessary to perform wire transfers within a specific business environment. Victims may also first receive “phishing” e-mails requesting additional details of the business or individual being targeted (name, travel dates, etc.).
CHARACTERISTICS OF BEC COMPLAINTS
The Internet Crime Complaint Center (IC3) has noted the following characteristics of BEC complaints:
Businesses and personnel using open source e-mail are most targeted.
Individuals responsible for handling wire transfers within a specific business are targeted.
Spoofed e-mails very closely mimic a legitimate e-mail request.
Hacked e-mails often occur with a personal e-mail account.
Fraudulent e-mail requests for a wire transfer are well-worded, specific to the business being victimized, and do not raise suspicions to the legitimacy of the request.
The phrases “code to admin expenses” or “urgent wire transfer” were reported by victims in some of the fraudulent e-mail requests.
The amount of the fraudulent wire transfer request is business specific; therefore, dollar amounts requested are similar to normal business transaction amounts so as to not raise doubt.
Fraudulent e-mails received have coincided with business travel dates for executives whose e-mails were spoofed.
Victims report that IP addresses frequently trace back to free domain registrars.
SUGGESTIONS FOR PROTECTION
The Cambridge Police Department and IC3 suggest the following measures to help protect you and your business from becoming victims of the BEC scam:
Avoid Free Web-Based E-Mail: Establish a company web site domain and use it to establish company e-mail accounts in lieu of free, web-based accounts.
Be careful what is posted to social media and company websites, especially job duties/descriptions, hierarchal information, and out of office details.
Be suspicious of requests for secrecy or pressure to take action quickly.
Consider additional IT and Financial security procedures and 2-step verification processes. For example –
Make sure all company software is up-to-date with all security patches being updated and installed.
Make sure anti-virus and malware softwares are installed and regularly updated.
Out of Band Communication: Establish other communication channels, such as telephone calls, to verify significant transactions. Arrange this second-factor authentication early in the relationship and outside the e-mail environment to avoid interception by a hacker.
Digital Signatures: Both entities on either side of transactions should use digital signatures. However, this will not work with web-based e-mail accounts. Additionally, some countries ban or limit the use of encryption.
Delete Spam: Immediately delete unsolicited e-mail (spam) from unknown parties. Do NOT open spam e-mail, click on links in the e-mail, or open attachments. These often contain malware that will give subjects access to your computer system.
Forward vs. Reply: Do not use the “Reply” option to respond to any business e-mails. Instead, use the “Forward” option and either type in the correct e-mail address or select it from the e-mail address book to ensure the intended recipient’s correct e-mail address is used.
Consider enabling two factor authorization at a bank for issuing checks, ACH payments or wire transfers.
Beware of sudden changes in business practices. For example, if a current business contact suddenly asks to be contacted via their personal e-mail address when all previous official correspondence has been on a company e-mail, the request could be fraudulent. Always verify via other channels that you are still communicating with your legitimate business partner.
If your business has been victimized, please report it immediately and the Cambridge Police will collaborate with the appropriate agencies to attempt and recover your funds. If you would like to learn more about protecting your business from these crimes, please contact the Cambridge Police Business Outreach team at 617-349-3236 or e-mail communityrelations@cambridgepolice.org.
This post was shared with us by our friends at the Harvard Square Business Association.