Skip to content

Discerning Data

  • About Us
  • Additional Resources
  • Contact Us

DISCERNING DATA

A Faegre Drinker Blog Covering the Latest in Privacy, Cybersecurity and Data Strategy

  • Privacy
  • Cybersecurity
  • Data Strategy
  • Disruptionware

Recent FinCEN Advisory Details Dramatic Increase in Frequency and Severity of Business Email Compromise Fraud Schemes

Share

On July 16, 2019, the U.S. Treasury Department’s Financial Crimes Enforcement Network (“FinCEN”) issued an “Updated Advisory on Email Compromise Fraud Schemes Targeting Vulnerable Business Processes” (the “Advisory”). The Advisory provides a detailed and helpful overview of trends in Business Email Compromise (“BEC”) schemes affecting U.S. financial institutions and other businesses.

Business are typically victimized by one of two variants of fraudulent BEC schemes, which involve spoofed or compromised electronic communications. In some of these schemes, perpetrators purporting to be company executives use spoofed email addresses and direct the companies’ finance personnel to make large wire transfers to third party bank accounts. In other instances, perpetrators impersonate the victims’ vendors and request that the victim companies initiate changes to the vendors’ banking information and then make large wire transfers to the new bank accounts.

According to the Advisory, criminals have increasingly exploited vulnerable business processes with BEC schemes – with losses to U.S. financial institutions and their customers from such schemes totaling over $9 billion since 2016. Not surprisingly, reports to FinCEN of BEC schemes have risen significantly in the past few years. In 2016, FinCEN averaged approximately 500 such reports per month; however, by 2018, that figure had more than doubled to over 1,100 reports per month. The average total loss amounts stemming from BEC schemes saw similar increases, with the average monthly losses rising from $110 million to over $300 million between 2016 and 2018.

The Advisory notes that the three top target industries for BEC schemes are: (1) manufacturing and construction (25% of reported cases); (2) commercial services (18%); and (3) real estate (16%). Manufacturing and construction companies are likely targeted with greater frequency because they tend to make frequent wire payments to numerous suppliers and also because more client information is publicly available for these businesses. The Advisory also discusses increases in BEC activity in other industries. For example, dozens of government organizations have been targets of BEC fraud, with such thefts typically targeting “accounts used for pension funds, payroll accounts, and contracted services.” Educational institutions – which regularly conduct and receive high dollar transactions in the form of tuition payments, endowments, grants, and renovation and construction costs, among others – are also increasingly the targets of BEC schemes. While only approximately 2% of all BEC schemes affect schools and universities, the education sector has “the largest concentration of high-value BEC attempts.” In addition, some BEC schemes are directly targeted at financial institutions – including in situations where criminal actors send emails that appear to be from a financial institution’s SWIFT department with payment instructions and SWIFT reference numbers in the emails in order to enhance their apparent legitimacy.

With respect to how the BEC schemes are actually effectuated, FinCEN found that, in 2018, the most frequently used BEC methodology involved the use of fraudulent vendor or client invoices, which accounted for approximately 39% of BEC schemes. In addition, in a notable change from previous years, FinCEN found that the majority of BEC schemes affecting U.S. financial institutions and their customers now involve initial funds transfers to domestic, rather than foreign, bank accounts. According to the Advisory, FinCEN expects that BEC perpetrators will continue to refine their methodologies and strategies in order to evade detection by victims and, therefore, ensure the greatest likelihood of financial success.

The release of the Advisory is yet another reminder to companies of the importance of devising and maintaining a system of policies, procedures, and internal controls attuned to BECs and other cyber-enabled frauds. Specifically, companies should consider how they can enhance their payment authorization procedures and verification requirements for vendor information changes. In addition, companies should examine their account reconciliation procedures and outgoing payment notification processes to ensure that payments resulting from fraud are detected and stopped. Companies must also look to enhance their training of employees about BECs and other cyber-related threats, as well as the relevant internal policies and procedures governing issues such as payment authorization and verification.

The material contained in this communication is informational, general in nature and does not constitute legal advice. The material contained in this communication should not be relied upon or used without consulting a lawyer to consider your specific circumstances. This communication was published on the date specified and may not include any changes in the topics, laws, rules or regulations covered. Receipt of this communication does not establish an attorney-client relationship. In some jurisdictions, this communication may be considered attorney advertising.

About the Author: Peter Baldwin

Peter Baldwin draws on his experience as a former federal prosecutor to counsel clients facing government investigations and cybersecurity issues. View Peter's full bio on the Faegre Drinker website.

Receive Email Alerts to New Articles

SUBSCRIBE

July 19, 2019
Written by: Peter Baldwin
Category: Communications, Cybersecurity, Financial Services

Post navigation

Previous Previous post: Second Circuit Holds That Blocking Users’ Access To Presidential Twitter Account Violates First Amendment
Next Next post: An Update on Federal Policy Regarding Chief Data Officers and Data Governance: New OMB Memo

Search the Blog

Sign Up for Email Alerts

PODCASTS

Faegre Drinker on Law and Technology

©2023 Faegre Drinker Biddle & Reath LLP. All Rights Reserved. Lawyer Advertising.

  • About Us
  • Additional Resources
  • Contact Us
We use cookies to improve your experience with our website. By browsing our site, you are agreeing to the use of cookies. For more information about how we use cookies, please review our privacy policy and cookie policy. OK
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT