Defending against business email compromise is more relevant than ever in the current environment. COVID-19 has led to a rise in phishing activity and scams. With many people working from home, some for the first time, we recommend you use multiple communication channels to confirm critical details prior to initiating any exchange of information or transaction.
With the typical homebuyer paying 20% of the purchase price via wire transfer, property transactions have become a lucrative way for fraudsters to engage in business email compromise (BEC). In these sophisticated schemes, criminals compromise and use email accounts to trick unsuspecting victims into transferring funds or providing ‘personally identifiable information’, such as Social Security and bank account numbers. In the real estate industry alone, the FBI noted a 1,100% rise from 2015 to 2017 in the number of reported BEC victims, including title companies, law firms, real estate agents, buyers and sellers.
Often, the fraudster will infiltrate a real estate company’s email system and send an email to the client with new wire instructions. Thinking they are coming from the agent, the client follows the new instructions, and the funds are sent to a fraudulent account. Usually, the funds are immediately depleted or sent to another account, making recovery difficult.
In July 2018, the FBI reported that between October 2013 and May 2018 businesses and individuals around the world lost $12.5 billion to BEC. The problem is only getting worse. Between December 2016 and May 2018, the identified global exposed losses from BEC jumped 136%. The scam has been reported in all 50 states and in 150 countries. Large companies have acknowledged losing $100 million in BEC schemes. No one is immune — victims also include small and medium companies.
The ongoing battle
Modern BEC scams are more sophisticated than the get-rich-quick email scams we’re all familiar with. After criminals gain access to an email account, they’ll often wait patiently for an email that identifies a financial deal, such as an escrow payment, and attempt to reroute the money.
The amount of valuable information in emails that criminals can exploit can be surprising. Details about business partner relationships, ongoing wire transactions, future purchases, third-party invoices or business acquisitions can provide a gold mine of information for criminals to exploit.
Over the past two years, the tactics and social engineering elements of BEC attacks have become increasingly advanced. A criminal will fabricate a long email thread between a title company and an agent that is designed to look as if they have conversed for weeks on the matter. Because these crafty and meticulous schemes look authentic, they can fool even the most discerning people.
Watch for attempts to pressure you
In the real estate industry alone, the FBI has noted an 1100% rise in the number of reported BEC victims, including title companies, law firms, real estate agents, buyers and sellers. Often, the recipient of a fake email will be asked to change the payment instructions to divert the funds to a fraudulent account. Usually, the funds are immediately depleted or sent to another account, making recovery difficult.
BEC fraudsters often try to trick people into acting quickly. A message from a fraudster posing as a title company may tell a buyer that they need a wire transfer done immediately to make sure the transaction goes through. In another scenario, a criminal pretending to be a company lawyer handling a time-sensitive issue will send an email at the end of the workday or week, putting even more pressure on the recipient to act hastily. These schemes also tend to occur at the end of the day or on a Friday before a long weekend.
Organizations with a concrete hierarchy are often more susceptible to fraud, since criminals count on the degrees of separation to cause junior employees to carry out email orders from higher-ups without verbal validation. In flat organizations, employees are more likely to go around the corner or pick up the phone to validate information or requests.
Protect yourself against BEC scams
With the rapid increase and potentially devastating consequences of BEC, companies and individuals should take steps to ward off such schemes.
Provide clear client instructions
Give your clients a printed copy of wiring instructions. Let them know that you will never send changes to wiring instructions via email, but will call instead. Consider putting a note in your email signature that reminds clients to be aware of wire fraud and reach out with questions.
Institute an internal security training program
Having a comprehensive anti-phishing training program can address the weakest link in the chain — making sure employees are not easily fooled. You can have a million security controls, but they can be circumvented by one person being tricked.
Choose the right vendors
It’s important to select email vendors that provide services to block malware and email imposters prior to delivery.
Tighten access to email accounts
An effective way to deter BEC is to use two-factor authentication (sometimes called multi-factor authentication) to protect your email account. In general, there are three ways to authenticate an account: something you know (for example, a password), something you are (for example, a retina scan or thumbprint), or something you have (for example, a hard token). If you use more than one of these authentications, thieves will have a much harder time gaining control of your account.
Practice good online habits
Certain commonsense practices can help keep you safe. Avoid using public Wi-Fi and never open an email attachment from someone you don’t know, even if it looks like a legitimate business transaction.
Verbally verify payment instructions
By requiring mandatory verbal confirmation for payment instructions (especially for new payees) or administrative changes to things like phone numbers and email addresses, you can dramatically decrease the chance of becoming a victim of BEC.
Restrict approval rights
The number of people who are authorized to approve wire transfers and money movements should be limited to only those who are absolutely necessary.
If you do get caught by a BEC scam, it’s critical to take fast action. Immediately contact your financial institution and request that the funds be recalled. Next, report the incident to your local FBI office, which may be able to assist in the recovery efforts.
Here's how First Republic can help
At First Republic, we consider our clients’ safety and security to be of the utmost importance. We offer our clients tools to help keep their accounts safe. We can conduct on-site security awareness sessions to help organizations learn how to avoid the latest BEC tactics. We can also visit your office or home to provide an Internet Security Health Check, a complimentary security assessment of computers used for online banking with First Republic.
For more information about these services or for any questions or concerns about cybersecurity, please get in touch.