2018 Apr Legal Column

Be Aware of Email Compromises Resulting in Fraudulent Wire Transfers

Written by David Boneno, LBA General Counsel

Bankers should be aware of a new twist on a scam tactic that seems to be part of a growing trend of cyber-enabled crime. The scam involves compromising a customer’s email account and then using the email account to deceive financial institutions and their customers into conducting wire transfers. Email compromise fraud can target both commercial customers and personal accounts. According to Financial Crimes Enforcement Network guidance, since 2013, there have been approximately 22,000 reported cases of email compromise fraud involving $3.1 billion.

In 2016, the Financial Crimes Enforcement Network issued an advisory to help financial institutions guard against a growing number of email fraud schemes in which criminals misappropriate funds by deceiving financial institutions and their customers into conducting wire transfers. The advisory also provides red flags that financial institutions may use to identify and prevent such email fraud schemes. Click here to read FinCEN’s FIN-2016-A2003.

For the scam to occur, the criminals will first unlawfully access a victim’s email account through social engineering or computer intrusion techniques (hacking). Criminals subsequently exploit the victim’s email account to obtain information on the victim’s financial institutions, account details, contacts and related information. Criminals then use the victim’s stolen information to email fraudulent wire transfer instructions to the financial institution in a manner appearing to be from the victim. To this end, criminals will use either the victim’s actual email account they now control or create a fake email account resembling the victim’s email.

Criminals trick the victim’s employee or financial institution into conducting wire transfers that appear legitimate but are, in fact, unauthorized. The fraudulent transaction instructions direct the wire transfers to the criminals’ domestic or foreign bank accounts. According to FinCEN guidance, banks in Asia—particularly in China and Hong Kong—are common destinations for these fraudulent transactions.

Business email account compromise schemes will target a financial institution’s commercial customers. The criminals will seek to access unlawfully the email accounts of a company’s executives or employees. The criminals will directly submit fraudulent transaction instructions to the company’s financial institution by impersonating company employees through emails and documentation related to the requested transfer. Alternatively, the criminals might mislead a company employee into submitting fraudulent transaction instructions to the company’s financial institution by impersonating a supplier or a company executive to authorize or order payment through seemingly legitimate internal emails.

Individual email account compromise schemes target individual account customers. The most likely targets are individuals who conduct large transactions through financial institutions, real estate companies and law firms. A criminal can compromise the email account of a realtor or of an individual purchasing or selling real estate, for the purposes of altering payment instructions and diverting funds of a real estate transaction. Another variation occurs when the criminal hacks into and uses a realtor’s address to contact a title company, instructing it to redirect commission proceeds to an account controlled by the criminal. Criminals can compromise an attorney’s email account to access client information and related transactions. The criminal then can email fraudulent transaction payment instructions to the attorney’s financial institution.

The Louisiana State Bar Association’s website has two articles alerting the attorneys to tactics used by criminals targeting lawyers and wired funds in real estate transactions where criminals purport to be clients through phone calls and emails. Click here to read Louisiana State Bar Association article, “New Tactic in Schemes Targeting Lawyers: Wired Funds in Real Estate Transactions”. Click here to read Louisiana State Bar Association article, “Scams Targeting Lawyers: LSBA Members Report Scam Tactics Are Changing”.

The FinCEN guidance also includes a good discussion on email account fraud red flags. Some of the similar suspicious behavior that can be identified includes the use of an email address that is slightly off by one or more characters. Another red flag discussed includes emailed wire instructions to a beneficiary’s account that is different from the one previously used, is to a foreign bank account, or to a beneficiary with which the customer has no payment history or documented business relationship. An additional red flag listed in the guidance is when emailed transaction instructions are delivered in a way that would give the financial institution limited time or opportunity to confirm the authenticity of the requested transaction. Read FinCEN guidance, FIN 2016-A1003, for a comprehensive list of red flags.

To help guard against email account fraud schemes, FinCEN offers as guidance that financial institutions use a multi-faceted transaction verification process. For instance, financial institutions may verify the authenticity of suspicious emailed transaction payment instructions by using multiple means of communication or by contacting others authorized to conduct the transactions. Click here to read FinCEN’s FIN-2006-A2003.

In conclusion, Louisiana financial institutions need to be alert to the risks of criminals using compromised email accounts to deceive financial institutions and their customers, especially when email communications involve wire transfers.