Email schemes and bank wiring frauds
First, let’s review how things are supposed to work when we send a bank wire. We want to send money from our bank account to theirs, the recipient tells us where we should wire the funds, we relay those instructions to the bank, and the bank sends the money from our account to the beneficiary’s account.
When cybercrime was a newer industry, cybercriminals attacked banks who then learned to protect themselves. Then cybercriminals realized that the account holder was an easier point of compromise, with less security than the bank. By compromising the account holder’s financial account credentials, or email account credentials, they could impersonate the account holder, direct the bank to send a wire to an account controlled by the criminal, and then forward the funds out of the country. This was done without the consent or knowledge of the account holder, and is depicted like this.
When this scheme is successful the criminals get away scot-free with the money, and then it is between the account holder and bank to figure out who should bear the loss. Sometimes fault is not clear, but if the account holder was negligent in allowing their internet account or computer to be hacked, perhaps they should bear some or all of the loss. If the bank was tricked by a criminal, and wired customer funds without the consent of the account holder, then perhaps the bank should bear the entire loss. The result was that banks became wise to this fraud and implemented controls to reduce it, taking steps to confirm that the wiring instructions are being sent by the account holder—and not by a fraudster. These measures include a verbal conversation and confirmation of bank wiring instructions. While anti-fraud measures are good business practices and protect against monetary loss, banks also have legal and regulatory obligations to prevent and report fraud and money laundering activity, and are in an excellent position to identify and respond to new fraud trends.
With these improved controls it became harder for cybercriminals to commit that specific fraud so they evolved. Instead of impersonating the account holder and tricking the bank, they impersonate the person who sends the account holder the bank wiring instructions—tricking the account holder. Unlike the bank, the account holder probably has no training in anti-fraud and anti-money laundering, and may not know about the need to verify that wiring instructions are authentic. The account holder receives fraudulent instructions and simply forwards them to the bank. The bank receives these instructions from the account holder, and verifies that the instructions were in fact sent from the account holder, but perhaps does nothing to advise the account holder about this new fraud scheme. The bank executes the customer’s instructions, the money is wired, and thus stolen, as shown below.
The money mule
The cybercriminals committing this fraud don’t receive stolen funds directly, so they use one or more money mules—people recruited to receive a fraudulent bank wire or forged check—to receive and then forward the funds. The cybercrime economy is lucrative, so it is now very good at laundering money, and this is one way they do it.
Cybercriminals use a variety of techniques to recruit money mules to receive these fraudulent bank wires or forged checks. A fraudster tried to recruit me the other day with this email:
Hi, Can you help us in drafting a purchase ... agreement of oil rig equipment with a buyer in your state?
[Impersonated victim’s name]
Had I responded, eventually they would have asked me to receive a check or a bank wire which would eventually be revealed as fraudulent. This solicitation wasn’t believable—especially since New York isn’t a big market for buyers of oil rig equipment—but others are more believable. It could be “work at home” business opportunities to help collect a debt, settlement, or purchase property. The unsuspecting money mule thinks he or she will earn a fee for this service, but will earn nothing, and may face civil liability for the entire amount of the fraudulent transaction. Money mules are needed for frauds of all sizes, from hundreds of dollars to millions of dollars.
There’s a few things you need to do to protect yourself. They boil down to:
- Keep your financial and email accounts from being hacked.
- Verify that people you deal with haven’t had their accounts hacked.
- Confirm wiring instructions verbally.
- Don’t become a money mule. Know who you are dealing with, know their business, and know the source and destination of funds.
You can keep your email accounts and financial accounts from being hacked by using strong passwords that are changed periodically, and by enabling two factor authentication (two step login). Periodically review your privacy and security settings.
Ensure that you—and your company—always verbally confirm payment instructions that are sent to you from people inside or outside your organization. Businesses also need financial controls which include dual control and segregation of duties to prevent a single person from causing funds to be sent. Get to know the people and businesses that you work with and transfer funds with. If things seem suspicious, or change without adequate explanation and confirmation, or if names don’t match, that could indicate fraud or money laundering.
If you are a victim
If you are a victim of this crime, report it to the bank and to law enforcement immediately. Report to the FBI’s Internet Crime Complaint Center (IC3), report to the local police, and if the fraud amount is significant call the local FBI field office. See the FBI’s advisory on this fraud for more information.
Preserve all evidence of the crime, and document your communications with the bank and law enforcement. Of course, preserve all communications to and from the cybercriminals, and don’t delete those emails.
Consider hiring a professional to assist you. The bank’s interests are different from yours and they may not be as motivated to recover funds if they believe it is your money, rather than theirs. Banks might not be allowed to share certain information with you by law, and sometimes they might not share information if it might be ammunition in a lawsuit or regulatory action. Law enforcement might not investigate as thoroughly as you might like, and even when they do, their focus is pursuing a criminal investigation, and they might not be allowed to share certain information with you.
In order to effectively fight cybercrime, our country will need to develop seamless crime reporting methods, which are followed by a prompt and effective investigative response. We are not there yet, so persistence by the crime victim may be required. We should encourage government to comprehensively fight the cybercrime economy, which it is not yet doing. This fraud is one of many evolving frauds, so personal and business cybersecurity and anti-fraud measures are essential—we need to educate and protect ourselves.
Originally published August 3, 2017, Huffington Post, at https://www.huffingtonpost.com/entry/the-cybercrime-scheme-that-attacks-email-accounts-and_us_59834649e4b03d0624b0aca6