Email Based Funds Transfer Frauds by John Bandler

This article relates to email based funds transfer frauds, a technique cybercriminals use to steal money by diverting payments such as bank wires. Other names for this fraud include "business email compromise" or "BEC", "CEO fraud", "CFO fraud" and more.  I wrote an article about it a while back that has some diagrams and describes it in detail, and it is also outlined in my two books, all cited below. This is a priority cybercrime threat that all individuals and organizations should be aware of (the other two top threats are data breaches and ransomware).

It is a devastating crime that has victimized many people and businesses. For individuals, it has stolen their life savings, causing stress and feelings of helplessness. For businesses, it can put them at risk of failure, lead to legal and other consequences, and requires time and expense to address.

This crime occurs when cybercriminals impersonate others, either by compromising ("hacking") email accounts, or by establishing new similar sounding email accounts, or through a combination of both. Then they trick recipients into wiring funds so that they wind up in the criminal's hands, instead of where they were intended to go. This is an example of criminal "social engineering" (con-artistry) and can result in massive theft that is difficult to solve.

First, here are ways we can prevent this crime:

  • Banks:
    • Warn customers about this fraud before they send funds. Ask the customer: "Did you speak by phone with the person who sent you these wire instructions?" Tell the customer "There is a rampant fraud called business email compromise. Please read John Bandler's article on the subject." (Or, the bank could write their own summary of the fraud).
    • Detect, shut down, and don't forward funds relating to "money mule" accounts. Money mule accounts receive fraudulently induced wires, then forward them out of the country.
  • All of us, individuals, businesses, etc.:
    • Secure email accounts with strong passwords and two-factor authentication. My articles and cybersecurity book have details.
    • Don't become a money mule. Know who you are doing business with, know your client, customer, business partners, know where the money is coming from and going to.
    • Verbally confirm any funds transfer instructions, or changes to those instructions. Do not rely upon emailed instructions.
    • Businesses should develop and improve their cybersecurity (information security) program.
  • Attorneys: As above. Secure your email accounts, warn clients about this fraud, advise clients to verbally confirm any funds transfer instructions..
  • Real estate agents and others: Ditto.
  • All organizations that receive, forward, or send payment instructions. Ditto.
  • Law enforcement:
    • Work more of these cybercrime investigations, follow the money, indict, apprehend, and extradite those profiting from it.
    • Provide victims with a seamless reporting process for cybercrime, and promptly investigate and follow up on these reports.

After this crime has occurred, work fast to try recover funds, or stop them before they leave this country.

  • Call the FBI, local police, report to the FBI's IC3 website. Be politely persistent. Ask the FBI to stop further transmittal of the wired funds ("kill chain").
  • Call your bank, ask them to stop and trace the funds. Ask them to confirm they are in contact with law enforcement.
  • Consider hiring someone to help you.

Equally important is properly investigating these crimes. That is a job for both law enforcement and the private sector.

Consider the perspective of the victim. Many victims of this crime simply want the money back, and at first are less interested in how it happened, where the money went, and various details of the crime. However, obtaining relevant facts helps the victim make informed decisions about what path to take. The facts could help with recovery of the funds, or shed light on whether a third party (someone other than the cybercriminal) might bear some responsibility for the theft. In sum important legal decisions should not be made until relevant facts are known.

Law enforcement presents another important perspective. It is their job to investigate these crimes and hopefully catch at least some of the offenders. To maximize their scarce resources, they need good cooperation from the private sector.

The details of these cybercrimes are fascinating to me. I believe learning and understanding the facts are the first step before deciding upon future actions. The era of cybersecurity and cybercrime negligence lawsuits are upon us, but still in their infancy and evolving. Whether a party is negligent or not depends upon the facts and surrounding circumstances, and I believe it is best to learn facts before contemplating litigation. After all, if you have a strong case, this can help negotiations, and you might be able to resolve the matter without any expensive litigation. If you have a weak case, you can save yourself years of stress and expense of an unnecessary lawsuit.

How does an organization (or individual) protect against these email based scams to steal wired funds? Knowledge and awareness are essential and constitute my first pillar of cybersecurity. Organizations should have a mechanism to deal with funds transfer instructions. All of this should be part of a broader plan to attain and exceed "reasonable security". I recommend following (my) Bandler's Four Pillars of Cybersecurity, having a cybersecurity policy, an incident response plan, following them, and looking for continual improvement.

Cybercriminals are always evolving and prevention is always better than the cure. Better to avoid the problem than deal with the aftermath. Cybersecurity is important for all of us, our families, and our professional lives. My first book (Cybersecurity for the Home and Office) is comprehensive and can help you understand technology, the privacy and cybercrime threats, and how to secure yourself and your business.  My second book (Cybercrime Investigations) is focused on investigating after the crime, but still, incident response starts with planning before any incident occurs.

This is a brief summary with some simplifications, attempting to bring complex subject matter to all readers in an understandable and accessible manner. This article is for myself, students, clients, potential clients, and anyone else in need of information. It is not legal advice nor consulting advice, and is not tailored to your circumstances.

If your organization needs help improving cybersecurity, creating or improving your policies, complying with cybersecurity related laws and regulations, contact me. Good policies are an important part of cybersecurity, along with Bandler's Four Pillars of Cybersecurity.  Sometimes individuals need help with cybersecurity and investigations too.

References: Some additional helpful articles and resources on this site (or elsewhere) include:

This article is hosted at https://johnbandler.com/email-based-funds-transfer-frauds and is about a priority cybercrime threat.

This article is also available on Medium.com at https://medium.com/@johnbandler/cybercrime-frauds-involving-email-and-funds-transfers-b038c957a7e (though perhaps not kept as current).

Originally posted February 2019. Updated 01/13/2021.