On July 16, the U.S. Financial Crimes Enforcement Network (FinCEN) announced that it is undertaking “new efforts to curtail and impede Business Email Compromise (BEC) scammers and other criminals who profit from their schemes.” BEC schemes, as FinCEN explained, “generally entail criminal attempts to compromise the email accounts of victims to send fraudulent payment instructions to financial institutions or business associates in order to misappropriate funds or to assist in financial fraud.”
FinCEN concluded, after analyzing Suspicious Activity Reports (SARs) that it had received, that “hackers and other illicit actors’ BEC scams generated more than $300 million a month in 2018, with a cumulative total exceeding billions of dollars stolen from businesses and individuals.” Its latest Financial Trends Analysis found that the number of SARs describing BEC incidents
has grown rapidly, averaging nearly 500 per month in 2016, and above 1,100 per month in 2018. The total value of attempted BEC thefts, as reported in SARs, climbed to an average of $301 million per month in 2018 from only $110 million per month in 2016.
The Analysis also identified the following trends:
- Targeted Sectors: Manufacturing and construction was the most targeted sector in both 2017 and 2018, representing 20 percent of all analyzed transactions in 2017 and 25 percent in 2018. Commercial services (such as shopping centers, entertainment facilities, and lodging) increased more than other industries, up from 6 percent of reported incidents in 2017 to 18 percent in 2018. In addition, “financial firms are the most frequently targeted firms in New York, while manufacturing and construction firms are the most frequently targeted in Texas.”
- Use of Domestic Financial Accounts: “In approximately 73 percent of incidents in 2017, funds were sent or attempted to be sent to domestic accounts, likely controlled by money mules. These destinations likely represent intermediate hops in a money laundering process, based on FinCEN’s analysis of BEC networks and recent law enforcement insights on use of money mules in other scams.
- Evolution of BEC Methods: The Analysis stated that “BEC scam methods have evolved over time.” For example, impersonating a CEO or other high-ranking business officer declined from 33 percent of sampled incidents in 2017 to 12 percent in 2018, while use of fraudulent vendor or client invoices increased from 30 percent of sampled incidents in 2017 to 39 percent in 2018. FinCEN observed that the average transaction amount for BEC impersonation of a vendor or client invoice was $125,439, compared to $50,373 for CEO impersonation. “Despite representing 30 percent of total transactions, BEC fraud using a fraudulent vendor invoice accounted for 41 percent of total transaction amounts, ranking the highest among the scam typologies observed.”
In response to the threat that BEC schemes pose to companies and financial institutions, FinCEN also announced a number of measures that it is taking. These include issuance of an update to its 2016 advisory to financial institutions on BEC schemes; the operation of its Rapid Response Program, which, in collaboration with law enforcement, recently exceeded $500 million in recovered BEC-related funds; and having its FinCEN Exchange Forum, which brings together law enforcement and financial institutions from across the country to share information, conduct a meeting that focused “on identifying and combatting potential BEC and resultant money laundering and terrorist financing activities.”
Note: Financial-crimes compliance teams at companies and financial institutions should take note of the trend data in the Financial Trends Analysis, particularly the increased use of fraudulent vendor or client invoices. Compliance officers should share that information with their finance departments and confer with them about their invoice reconciliation and validation processes, including for emails or telephone calls purportedly from a senior executive or “trusted” third party who insists on an immediate wire transfer to pay an invoice for five-six-, or even seven-figure amounts. If leading companies such as Google and Facebook can lose vast amounts to BEC invoice schemes, so can any firm that does not maintain constant vigilance for such schemes.