FinCEN Advisory on Email Compromise Fraud Schemes
Author: Chris Boersma
Cybercrime is growing at an alarming rate. One method involves criminals compromising victim information and sending wire transfer instructions to a financial institution in an attempt to illegally obtain money. On September 6, 2016, Financial Crimes Enforcement Network (FinCEN) issued an advisory on email-related fraud schemes targeting financial institutions and their customers. The advisory focused on education and prevention of fraudulent attempts to capture emails from business and consumer email accounts.
Business Email Compromise (BEC): Fraud scheme targets a financial institution’s commercial customers
Email Account Compromise (EAC): Fraud scheme targets a victim’s personal accounts
BECs are emails sent to financial institution employees that include wire transfer instructions appearing to be initiated by someone employed by one of the bank’s commercial customers or directing that customer’s employees to submit wire transfer instructions themselves to approve and request money transfers. EACs are emails sent to individuals, compromising their email account(s), and composing and sending emails with wire instructions to a financial institution.
Here are some specific red flags identified and listed within the advisory:
- A customer’s seemingly legitimate emailed transaction instructions contain different language, timing and amounts than previously verified and authenticated transaction instructions.
- Transaction instructions originate from an email account closely resembling a known customer’s email account; however, the email address has been slightly altered by adding, changing or deleting one or more characters.
- Emailed transaction instructions direct payment to a known beneficiary; however, the beneficiary’s account information is different from what was previously used.
- Emailed transaction instructions direct wire transfers to a foreign bank account that has been documented in customer complaints as the destination of fraudulent transactions.
- Emailed transaction instructions direct payment to a beneficiary with whom the customer has no payment history or documented business relationship, and the payment is in an amount similar to or in excess of payments sent to beneficiaries whom the customer has historically paid.
- Emailed transaction instructions include markings, assertions or language designating the transaction request as urgent, secret or confidential.
- Emailed transaction instructions are delivered in a way that would give the financial institution limited time or opportunity to confirm the requested transaction’s authenticity.
- Emailed transaction instructions originate from a customer’s employee who’s a newly authorized person on the account or is an authorized person who hasn’t previously sent wire transfer instructions.
- A customer’s employee or representative emails a financial institution transaction instructions on the customer’s behalf that are exclusively based on email communications originating from executives, attorneys or their designees. However, the customer’s employee or representative indicates he or she was unable to verify the transactions with such executives, attorneys or designees.
- A customer emails transaction requests for additional payments immediately following a successful payment to an account not previously used by the customer to pay its suppliers/vendors. Such behavior may be consistent with a criminal attempting to issue additional unauthorized payments upon learning a fraudulent payment was successful.
- A wire transfer is received for credit into an account. However, the wire transfer names a beneficiary who isn’t the account holder of record. This may reflect instances where a victim unwittingly sends wire transfers to a new account number—provided by a criminal impersonating a known supplier/vendor—while thinking the new account belongs to the known supplier/vendor.
Financial institutions with reason to suspect someone tried to illegally obtain funds or avoid regulatory requirements need to consider applicable Suspicious Activity Reporting (SAR) procedures. The report should mention the terms BEC and EAC for clarity. An example of the SAR narrative was provided in the advisory.