Behind the business email compromise (BEC) scam
Social engineering scams mislead unsuspecting employees into sending money or diverting payments to fraudsters who are impersonating vendors, clients, customers and even senior executives or business owners.
One of the most common, and most costly, forms of these scams is the business email compromise (BEC) scam, which involves a compromised or spoofed email account, from a scammer pretending to be a vendor, senior executive, or business partner.
Lawyers who work with real estate clients and/or wire funds as part of their practice are particularly vulnerable to these sorts of scams. Here’s an illustration of how such a scam works, and what you can do to help prevent this from happening at your firm.
An example of a BEC scam
During closing proceedings on a real estate transaction, a scammer assumes the online identity of a party in the transaction. The email they use appears to be the legitimate sender’s address, but in fact it has been subtly altered in such a way that it often avoids immediate detection. Examples of this include changing the suffix of the domain naming (“.com” to “.us”) or changing a letter “o” to a number “0.”
In some cases, the scammer may even have control over the person's real email address, and is therefore able to obtain knowledge specific to the transaction, and is able to include details relevant to the recipient in the email to the attorney receiving the email (e.g., "I hope the home inspection went well yesterday").
The scammer provides wire instructions or specifies changes to a previous wire transfer request, such as a new account number, or a new requirement to pay via wire transfer (as opposed to check).
The scammer may create a false sense of urgency around the request, in hopes that the reader will bypass channels that might normally uncover a fraud. This may include language along the lines of “time is of the essence” or “this needs to go out today.”
Acting in haste, the reader then sends money for the closing to the scammer's account. The money is quickly transferred by the scammer to an overseas bank before the scam can be uncovered and stopped.
The real party then calls late in the day or early the next morning, asking about the anticipated wired funds.
At that point, the attorney realizes that he or she has been scammed. The closing cannot take place, and various claims for damages accrue as a result of the failed sale, as well as a claim for the loss of the client's funds. Thus, there are usually at least one or more aggrieved parties looking to the attorney for their actual damages, plus any additional attorney's fees and costs incurred by all the aggrieved parties in trying to rectify the situation.
Even worse, the attorney may now be exposed to professional liability claims regarding the missing funds, and may also face potential disciplinary action for the misuse or misappropriation of those funds.
Avoiding and managing the risks
The weakest link in the security chain is the employee who accepts a scenario at face value and doesn't check its legitimacy. That's why it is imperative to provide anti-fraud training that includes educating employees on how to recognize and avoid BEC and similar social engineering scams.
According to the FBI’s 2018 Internet Crime Report
- More than 350,000 scams reported – the highest total ever
- More than $2.7 billion lost – nearly double losses recorded in 2017
- BEC scams accounted for $1.2 billion in losses – making them the most costly form of scam
- These losses also nearly doubled from 2017
- Provide employees with information about recent scam tactics.
- Have a written policy outlining what is considered confidential, sensitive or proprietary information that should never be released without approval or authorization.
- Develop reporting and tracking programs that document attempts of social engineering/false pretense fraud.
- Consult with computer safety and information technology experts, who can help you:
- Install cyber security software and keep it up to date
- Secure Wi-Fi networks and use mobile device security procedures
- Use two-factor authentication to make it difficult for hackers to enter business computer platforms
- Install an intrusion detection system (IDS) to flag emails with extensions that are similar to your company's email.
- Teach employees to never click on embedded links in suspicious or "out of the ordinary" emails.
- Never let the urgency of the message, intimidation or high-pressure tactics influence your careful review and assessment.
Before you pay
- Identify which employees have access to bank account information, or have authority to make payments or transfer funds—they are many times a primary target.
- Limit wire-transfer authority to specific employees, and require supervisor sign-off on any changes to vendor and client information, and all "internally" requested wire transfers.
- Validate funds transfer and payment requests with a "call back" procedure to an individual authorized to make such requests and to a previously established number.
- Be wary of last minute changes in business practices. Business owners should stress to their employees that they will never deviate from normal transfer protocol by calling or emailing an employee with an urgent request to transfer funds outside of documented procedures.
- Be suspicious when someone refuses to provide contact information.
- Randomly test employees with company created fictitious emails and/or phony phone calls.
- Review your insurance:
- Talk to your independent agent to make sure your fidelity and crime coverage is up to date. The Hanover created its false pretense coverage offering to help law firms avoid these risks, and a wide variety of social engineering scams.
- Some insurers – including The Hanover – have resources dedicated to protecting data, and raising awareness of BEC and other social engineering scams.
What to do if faced with a social engineering scam
It is important to act immediately and call the financial institutions involved in the transaction. The local police and the FBI should also be contacted. Companies can submit all relevant information to the Internet Crime Complaint Center (IC3).
This material contains suggested guidance and is provided for informational purposes only. It does not guarantee any particular outcome and is not intended as an endorsement of any of the entities mentioned therein.