For more than a decade, one of the most persistent and successful online fraud schemes has been business email compromise (BEC) schemes. BEC schemes typically involve two phases: (1) the use of phishing or hacking techniques to obtain identifying information about executives in a particular business or other organization; and (2) the use of “social engineering” techniques to persuade someone with appropriate authority in that business to issue and send checks to scheme members, or make outbound wire transfers to bank accounts that members of the scheme have established. BEC schemes are also often linked to other types of online fraud directed at individuals, such as romance schemes, employment-opportunity schemes, and lottery schemes.
BEC schemes have proved fairly simple and highly profitable for cybercrime operations. The APWG’s most recent quarterly report on phishing schemes stated that the average wire transfer attempt in BEC attacks is increasing, from $54,000 in the first quarter this year to $80,183 in the second quarter – a 48.4 percent increase. One particular Russian BEC operation reportedly has sought an average of $1.27 million from its corporate victims.
For the most part, participants in BEC schemes, based on information from a limited number of U.S. criminal investigations, appear to range in age from mid-twenties to mid-forties. A recent arrest by police in the Australian state of Queensland, however, shows that older persons may also become involved in BEC schemes.
In this case, Queensland police arrested a 65-year-old Brisbane accountant on charges of money laundering, for her role in a series of BEC schemes in which at least seven organizations and individuals, including senior care providers and a superannuation (pension) fund, were deceived into sending more than AU$3.3 million offshore. One victim reportedly lost AU$1.1 million.
According to the police, the accountant, who had no relation to the victims, received her instructions online from hackers. She allegedly caused fraudulently obtained funds to be transferred into at least 50 Australian bank accounts before she directed the money offshore. A police search found a number of computers and mobile phones that she allegedly used to facilitate money laundering.
While there has been no trial or conviction in this particular case, the initial report of the arrest provides a timely reminder of key points that businesses and individuals should bear in mind to protect themselves against BEC schemes:
- Never give out personal or company information to any caller when you don’t know the caller.
- Just because an incoming email purports to come from a person in authority, such as a senior executive in your company, does not mean that it actually came from that person. Hovering over the incoming email address with your mouse or touchpad, or pressing “reply” (without actually sending a reply) to that email address, can reveal the true address of the sender.
- Just because a caller’s voice sounds like he or she could be a real person within a company tells you nothing about whether he or she is that real person. Trust only the voices of people you know personally, and to protect your company from possible BEC schemes, the company should establish points of contact with third parties or vendors with the company regularly deals to allow voice-to-voice communications regarding requests for outbound funds transfers.