Australian Accountant Arrested for Role in Business Email Compromise Schemes

For more than a decade, one of the most persistent and successful online fraud schemes has been business email compromise (BEC) schemes.  BEC schemes typically involve two phases: (1) the use of phishing or hacking techniques to obtain identifying information about executives in a particular business or other organization; and (2) the use of “social engineering” techniques to persuade someone with appropriate authority in that business to issue and send checks to scheme members, or make outbound wire transfers to bank accounts that members of the scheme have established.  BEC schemes are also often linked to other types of online fraud directed at individuals, such as romance schemes, employment-opportunity schemes, and lottery schemes.

BEC schemes have proved fairly simple and highly profitable for cybercrime operations.  The APWG’s most recent quarterly report on phishing schemes stated that the average wire transfer attempt in BEC attacks is increasing, from $54,000 in the first quarter this year to $80,183 in the second quarter – a 48.4 percent increase.  One particular Russian BEC operation reportedly has sought an average of $1.27 million from its corporate victims.

For the most part, participants in BEC schemes, based on information from a limited number of U.S. criminal investigations, appear to range in age from mid-twenties to mid-forties.  A recent arrest by police in the Australian state of Queensland, however, shows that older persons may also become involved in BEC schemes.

In this case, Queensland police arrested a 65-year-old Brisbane accountant on charges of money laundering, for her role in a series of BEC schemes in which at least seven organizations and individuals, including senior care providers and a superannuation (pension) fund, were deceived into sending more than AU$3.3 million offshore.  One victim reportedly lost AU$1.1 million.

According to the police, the accountant, who had no relation to the victims, received her instructions online from hackers.  She allegedly caused fraudulently obtained funds to be transferred into at least 50 Australian bank accounts before she directed the money offshore.  A police search found a number of computers and mobile phones that she allegedly used to facilitate money laundering.

While there has been no trial or conviction in this particular case, the initial report of the arrest provides a timely reminder of key points that businesses and individuals should bear in mind to protect themselves against BEC schemes:

  • Never give out personal or company information to any caller when you don’t know the caller.
  • Just because an incoming email purports to come from a person in authority, such as a senior executive in your company, does not mean that it actually came from that person.  Hovering over the incoming email address with your mouse or touchpad, or pressing “reply” (without actually sending a reply) to that email address, can reveal the true address of the sender.
  • Just because a caller’s voice sounds like he or she could be a real person within a company tells you nothing about whether he or she is that real person.  Trust only the voices of people you know personally, and to protect your company from possible BEC schemes, the company should establish points of contact with third parties or vendors with the company regularly deals to allow voice-to-voice communications regarding requests for outbound funds transfers.

APWG 2Q 2020 Report: Cybercrime Gangs Attempting and Achieving Heists of Increasing Scale

On August 27, the APWG (formerly Anti-Phishing Working Group) published its Phishing Activity Trends Report for the Second Quarter 2020.  The Report analyzes phishing attacks and other identity theft techniques, as reported to the APWG from a variety of sources.  The Report’s principal overall observation was that cybercrime gangs have been attempting and achieving heists of increasing scale. Key findings in the APWG Report included the following:

  • Phishing Sites: In 2Q 2020, the number of phishing sites detected was 146,994.  This total represented an 11 percent decrease from the 165,772 sites detected in 1Q 2020.
  • Most Targeted Industry Sectors: Software as a Service (SAAS) and webmail sites were most frequently targeted (34.7 percent of all attacks). Financial institution sites accounted for 18.0 percent, payment sites 11.8 percent, and social media 10.8 percent of all attacks.
  • Business Email Compromise (BEC) Attacks: The average wire transfer loss from BEC attacks is increasing. The average wire transfer attempt in 2Q 2020 was $80,183 – a 48.4 percent increase from the average attempt of $54,000 in 1Q 2020.  In addition, 34 percent of BEC attacks in 2Q 2020 were sent from email accounts hosted on domains registered by scammers.  More than three quarters (76 percent) of those domains were registered at just five domain registrars: Namecheap (25 percent), Google (20 percent), Public Domain Registry (17 percent), NameSilo (7 percent), and Tucows (7 percent).  The Report also stated that one documented Russian BEC operation, which “attacks large multinational organizations, many of which are Fortune 500 and Global 2000 companies,” has sought an average of $1.27 million when it targets companies.
  • Phishing Attacks in Brazil: Although the banking and financial sector “is still the primary target of phishing attacks in Brazil,” the Report noted that there were 9,572 unique phishing cases in Brazil in 2Q 2020 (a decrease from 10,910 unique phishing cases in 1Q 2020), and that a decrease in cases of digital fraud in June 2020 was most evident in the banking and financial sector.
  • Phishing Sites’ Use of HTTPS: Since 2016, according to APWG data, there has been a fairly consistent and substantial increase in the number of phishing sites that use the HTTPS encryption protocol.  In 2Q 2020, the percentage of phishing sites using Secure Socket Layer/Transport Layer Security certificates increased slightly to 77.6 percent (compared to 74 percent in 1Q 2020).

Note: This latest APWG Report points up a number of troublesome phishing trends, notably the increase  in the average BEC wire transfer losses and the increase in phishers’ use of HTTPS to enhance the credibility of their sites.  Information security officers should read this Report and share it with their information security teams.

Germany’s Financial Intelligence Unit Reports Substantial Increase in Suspicious Transaction Report Filings in 2019

On August 18, Germany’s Financial Intelligence Unit (FIU) announced that it had issued its Annual Report for 2019.  The Report (available here) stated that in 2019, it received 114,914 suspicious transaction reports.  That total represents an increase of 37,500 more suspicious transaction reports than the FIU received in 2018.

All in all, the FIU reported, it has seen the annual number of such reports increase almost twelve-fold since 2009.  The FIU commented that this increase “reflects the continuous awareness of those subject to the Money Laundering Act and the increasing automation at large credit institutions.”

The Report also included findings regarding the filing of suspicious transaction reports by the financial and non-financial sectors:

  • Financial Sector: The increase in the number of suspicious transaction reports applies to both the financial and non-financial sectors, as well as to authorities and other covered entities. Approximately 98 percent of all reports still come from the financial sector, from which the FIU received more than 35,000 more suspicious transaction reports than in 2018.
  • Non-Financial Sector: The absolute number of suspicious transaction reports that the FIU received from the non-financial sector increased in 2019, but still only accounts for approximately 1.3 percent of the total.  Gambling organizers and brokers were primarily responsible for the increase in the non-financial sector.  The FIU also received “[s]ignificantly more reports” from goods dealers in 2019, with a percentage increase “roughly in line with the overall trend.”  It also saw an increase in the number of reports from real estate agents and financial companies.
  • Cryptocurrencies: The FIU also saw “a slight upward trend” in the number of suspicious transaction reports relating to crypto assets.  Approximately 760 reports contained as a reason for filing “abnormalities in connection with crypto currencies.”  In particular, it deemed the forwarding of funds to trading platforms abroad to exchange the funds for crypto assets, ​​with subsequent further transfer, “abnormal.”

The director of the FIU, Christof Schulte, welcomed these developments.  He stated that the upward trend in the numbers of suspicious transaction reports being filed “shows that the FIU’s extensive awareness-raising and coordination measures are working.”

Schulte also noted that the FIU’s risk-based approach and associated legal filter function – both also included in the standards of the Financial Action Task Force (FATF) – “are of particular importance.”  As he put it, “Only the facts that are actually valuable are passed on to the responsible law enforcement authorities so that law enforcement can efficiently concentrate available resources on these facts.”

Schulte cautioned that he did not consider the reports filed by the non-financial sector to be sufficient, in light of the money laundering risks in that sector.  He further stated that in view of the increasing number of crypto-related reports, the FIU “will also increasingly investigate transactions that were carried out using new payment technologies with regard to money laundering and terrorist financing.”

Note:  This FIU report is instructive, not only for the statistical data regarding suspicious transaction report filings, but also for the comments by Director Schulte about the volume of reports from the non-financial sector and increasing FIU focus on crypto-related transactions.  Whether  the FIU’s concentration on analysis of these reports will translate into actual enforcement cases by German prosecutors remains to be seen.  As Director Schulte admitted in a recent media interview, “One problem for us is that the prosecution of money laundering in Germany isn’t traditionally well established.”

In any event, chief compliance officers at German financial institutions and other entities subject to German money-laundering legal requirements should review the FIU report closely, and share pertinent details with other senior executives in their firms.

U.S. Antitrust Division Head Announces Division Reorganization, Creation of New Units

On August 20, Makan Delrahim, Assistant Attorney General in charge of the Antitrust Division at the U.S. Department of Justice, announced a series of changes in the Division’s structure and operational responsibilities.  Those changes fall into three categories.

First, the Division is reallocating certain “commodities” (i.e., industries it review) across its civil enforcement sections.  Prior to the reallocation, the enforcement of mergers and conduct in the financial services, banking, insurance, and credit card businesses were spread across four different sections within the Division, and media, broadcast, and telecommunications were divided between two sections.  Under the reorganization, the Division will dedicate all financial services to a single section, and combine broadcast and telecommunications in a single section.  Combining the responsibilities for broadcast and cable, in Assistant Attorney General Delrahim’s view, “reflects the integration in these industries and will streamline our enforcement and review in these sectors.”

Second, the Division has created a new office, the Office of Decree Enforcement and Compliance (ODEC).  ODEC has been given primary responsibility for enforcing judgments and settlement decrees in civil matters.  It will serve, as Delrahim put it, “as the dedicated watchdog for judgment and decree compliance,” and is charged with working with Antitrust Division attorneys, monitors, and compliance officers to ensure the effective implementation of and compliance with those civil agreements.

Third, the Division has created a Civil Conduct Task Force (CCTF) to focus full time on civil non-merger work.  The CCTF will consist of both a core group of fully dedicated attorneys and attorney designees from each of the Division’s six civil sections and three field offices.  All CCTF members are to be staffed on CCTF-lead civil conduct investigations.

The rationale for the CCTF’s creation, according to Delrahim, is “to ensure that when the Division gets busy with merger reviews with statutory deadlines, that there is still an independent group of dedicated attorneys with the mandate to execute against aggressive timelines in our non-merger cases.”  The objective is to have the CCTF “build competencies that are unique to civil conduct cases, where the key questions, and the posture of the parties under investigation, are quite different from merger investigations,” and to ensure “that these competencies are shared with the civil sections and the field offices when they lead conduct cases as well.”

Note:  Enforcement agency reorganizations and revisions ordinarily attract minimal public attention, other than from attorneys whose practices focus on those agencies.  While that is likely to be true of these Antitrust Division changes as well, antitrust practitioners should closely monitor subsequent developments stemming from the changes.

Within the next year, both Division attorneys and private practitioners should see significant benefits flowing from the consolidation of related industry sectors in a single Division section.  In contrast, it may take two or more years before the worth of the ODEC and the CCTF can be clearly established, but any measures that reduce the stop-and-start handling of certain antitrust investigations and provide more consistent oversight of antitrust decree enforcement should be welcome.

United States Seizes Iranian Petroleum Shipments, Bound for Venezuela, for Sanctions Evasion

On August 14, the U.S. Department of Justice announced “the successful disruption of a multimillion dollar fuel shipment by the Islamic Revolutionary Guard Corps (IRGC), a designated foreign terrorist organization, that was bound for Venezuela” aboard four foreign-flagged oil tankers.  These actions, according to the Department, “represent the government’s largest-ever seizure of fuel shipments from Iran.”

The genesis of these seizures was a civil forfeiture complaint that the Justice Department filed on July 2, 2020, in the U.S. District Court for the District of Columbia.  In essence, the complaint, which named the four oil tankers in question, stated, according to the Wall Street Journal, “that an Iranian businessman affiliated with the Islamic Revolutionary Guard Corps, Iran’s elite military unit designated by the U.S. as a terror group, arranged the fuel deliveries through a network of shell companies to avoid detection and evade U.S. sanctions.”

After the District Court issued the forfeiture order, unspecified U.S. forces reportedly “successfully executed the seizure order and confiscated the cargo from all four vessels, totaling approximately 1.116 million barrels of petroleum.” A senior U.S. official told the Associated Press

that no military force was used in the seizures and that the ships weren’t physically confiscated. Rather, U.S. officials threatened ship owners, insurers and captains with sanction to force them to hand over their cargo, which now becomes U.S. property, the official said.

The Justice Department credited unspecified “foreign partners” in assisting in the seizure and that the seized oil “is now in U.S. custody.”

The Department also reported that after the successful U.S. seizure, “Iran’s navy forcibly boarded an unrelated ship in an apparent attempt to recover the seized petroleum, but was unsuccessful.”  It provided a link to a short video from U.S. Central Command that it represented to be a video of the unsuccessful Iranian operation.

Note: This action by the Justice Department is noteworthy because it represents the first time that the United States has used vessel seizures to prevent Iranian oil shipments to Venezuela.  The Trump Administration undoubtedly regarded these seizures as a necessary response to the successful deliveries of gasoline to Venezuela by Iran earlier this year.  As the Journal noted, the seizure has particular force because it deprives two sanctioned regimes of much-needed resources: oil for Venezuela, and revenues for Iran.

Neither regime is likely to be deterred directly by the seizures, but the Administration undoubtedly expects that.  The key to the success of this stratagem by the United States will be whether the seizures “deter shipping companies from dealing with the Iranians and Venezuelans as tanker owners, brokers, insurers and other businesses see the risk as too costly.”  If the U.S. Government can dissuade legitimate shipping companies from future support, Iran and Venezuela will likely be forced to deal with far less reliable companies and less seaworthy vessels in continuing to evade sanctions.