Email Based Funds Transfer Fraud - The Details

by John Bandler

This article covers details on email based funds transfer frauds, my name for a pernicious and pervasive cybercrime where the criminals use email to divert payments and steal money. Names for this fraud include:

  • Business email compromise (BEC)
  • CEO fraud, CFO fraud, CXO fraud, and more
  • Email based funds transfer frauds (my term, accurately descriptive)

This is one of three priority cybercrime threats that all individuals and organizations should be aware of (the other two top threats are data breaches and ransomware).

If you haven't already, check out my more general article on email based funds transfer frauds for background, prevention, etc.

Now, we walk through the nuts and bolts of this cybercrime.

1. Introducing the participants

First, let's look at who plays a role, willingly or not.

  • Sender/Account holder:  Wants to send funds to the receiver/beneficiary. Has Account 1 at Bank A. Instructs Bank A where to send funds.
  • Receiver/Beneficiary: Rightfully owed money that they want to receive. Has Account 2 at Bank B.
  • Cybercriminal: Tries to steal money by getting it sent to Bank C Account 3 (the account of a “money mule”)
  • Money Mule: Recruited by the cybercriminal.
  • Banks: Banks manage accounts, send and receive funds, have anti-fraud and anti-money laundering departments.
  • Information relay. A person who relays funds transfer instructions, but is not one of the above.

2. Sending a bank wire

Here is how it is supposed to go

  1. Receiver/Beneficiary tells sender/account holder where to send the funds
  2. Sender/account holder tells their bank to send the funds
  3. Funds are transferred
  4. Receiver gets the funds

Of course, if it went the way it was supposed to, there would be no cybercrime. But many people aren't thinking about this cybercrime.

3. Early cybercrime bank wire frauds

Here is how the fraud started long ago, banks did not protect against it initially, and were liable.

  1. Cybercriminal impersonates account holder, tells bank to wire funds
  2. Bank fails to verify those instructions, sends funds
  3. Account holder demands the bank pay restitution

As you can imagine, banks got wise to this very quickly. And banks have duties to identify fraud and money laundering, and protect against it, and they spend millions of dollars a year on that, with employees and tools to detect it.

And banks want to protect their funds and their bottom line.

4. Banks now protect themselves with the “call back”

Banks now have "call back" procedures to verify that funds transfer instructions are in fact coming from the account holder.

When the instructions are genuine, the account holder gets the call, confirms, the wire goes.

When a cybercriminal tries to interact directly with the bank, it gets detected.

  1. Cybercriminal impersonates account holder, tells bank to wire funds
  2. Bank contacts the true account holder (based on information on file), attempts to verbally confirms the instruction
  3. Of course, the account holder does not confirm, and the wire is not sent

On the one hand, this did prevent a cybercrime, and protect the account holder, but more importantly, it protected the bank and their own liability.

I have long urged that banks go further, and warn and advise the account holder further to protect against what is now pervasive (see next).

5. Cybercriminals now work this way

Since banks now stop the earlier type of fraud, cybercriminals have adapted and now work this way, and successfully steal billions of dollars a year this way. Yes, Billions.

Banks often fail to warn customers of this fraud, and they could do more, since banks are in a position to warn, and see it happen every day for the past near decade.

Here is how it works

  1. Cybercriminal impersonates Receiver/Beneficiary and tells sender/account holder where to send the funds (to a money mule account)
  2. Sender/account holder tells their bank to send the funds
  3. Bank calls back the account holder, confirms the instructions. (But does not warn the account holder to verbally confirm the instructions with the intended receiver/beneficiary)
  4. Funds are transferred to money mule
  5. Cybercriminal stole the funds

6. This fraud can get complicated

This fraud can get complicated, and investigation is needed to reveal the facts.

Many cybercrime victims, and attorneys representing them, ask me for insight into their case prior to doing a proper investigation and review. They relate a basic fact pattern where money was stolen through this fraud, and then ask:

  • Who is liable?
  • How do these cases usually resolve?
  • How does insurance cover it?

Then I need to explain that this fraud is complicated. You need to gather facts, analyze facts, review applicable law, and apply the facts to the law. Then (of course) litigation and settlement has all the uncertainties that come with people, their views, interests, and motives.

I explain that this is like an automobile accident. Their question to me is similar to if someone asked a personal injury attorney, "My client was injured in a car accident, two cars hit each other. Who is liable and how do these cases usually settle and resolve?" The question cannot be answered properly without assessing the facts of that particular crash. You need to look at the facts, duties, and law.

I happen to know a lot about investigating both car crashes and cybercrime. Facts matter, I know how to get them, how to analyze them, and apply them to the law. A difference is that lawyers have been litigating car crashes for decades and everyone has a basic knowledge of automobile safety. In contrast, cybercrime litigation is newer and many people are unfamiliar with cybercrime and cybersecurity.

Investigative questions and issues include:

  • Lots of communication, hard to tell what is genuine, what came from where, and what came from the cybercriminal
  • Email account breached?
  • Spoof email accounts created?
  • Domains?
  • Cyber evidence
  • Other evidence
  • Not everyone wants to cooperate
  • Hard to catch the cybercriminal
  • Hard to recover the money
  • Not every liable party wants to compensate the victim
  • Hard to investigate and requires resources
  • Long money trail
  • Bank Secrecy Act (BSA)
  • Interstate
  • International

7. Prevent this crime

My other article has more on prevention, but in sum:

  • Secure your email accounts properly (strong unique passwords and two factor authentication)
  • Confirm all payment instructions verbally (phone call)
  • Confirm changes to payment instructions verbally also.

8. Good cybersecurity helps prevent cybercrime

How does an organization (or individual) protect against these email based scams that try steal these wired funds?

Consider my Four Pillars of Cybersecurity. Organizations should have a cybersecurity policy, an incident response plan, follow them, and seek continual improvement.

Have good email security, with two factor authentication and strong passwords.

9. Conclusion

Every individual and organization could be victimized by this crime. Knowledge can prevent it.

This is a brief summary with many simplifications, attempting to bring complex subject matter to all readers in an understandable and accessible manner. It is not legal advice nor consulting advice, and is not tailored to your circumstances.

If your organization needs help improving cybersecurity, creating or improving your policies, complying with cybersecurity related laws and regulations, contact me. Good policies are an important part of cybersecurity, along with Bandler's Four Pillars of Cybersecurity.  Sometimes individuals need help with cybersecurity and investigations too.

10. Additional reading

This article is hosted at https://johnbandler.com/email-based-funds-transfer-frauds and is about a priority cybercrime threat.

Originally posted here on 5/20/2023. Updated 10/24/2024.