By Patti Murphy
Fraud is a perpetual threat to banks and their business clients. And while the marketplace is getting better at detecting fraud incidents before they turn to losses, new threats are constantly emerging. One troubling new trend is the proliferation of business email compromises (BECs) that are used to trick companies into making fraudulent payments that are then laundered through networks of "mules" that often carry out their part of the scam through check deposits.
It's a case of the old (check payments) being leveraged to support new methods of fraud. BEC, also known as cyber-enabled financial fraud, is carried out by transnational criminal rings that employ lawyers, linguists, hackers and social engineers. They target organizations large and small and use various tactics, although most target employees within those organizations that can access company finances. Think accounts payables staff.
At its heart, a BEC leverages the oldest trick in the con artist playbook: deception. Fraudsters use email phishing and social engineering tactics to trick employees into making wire transfers to accounts thought to belong to trusted partners, but which in fact are controlled by the fraudsters. First they gain access to a company's internal networks. Then they spend weeks, or even months, studying the company's vendors, billing systems and executives' email styles. And when they think the time is right, they send an email purporting to be from a key executive (CEO or CFO) requesting an immediate transfer of funds to the account of what appears to be a trusted vendor.
The FBI reports that between 2000 and 2018 its Internet Crime Complaint Center saw a 1,300 percent increase in identified BECs, with reported losses totaling over $3.7 billion. Agari, a provider of phishing defense solutions for enterprises, estimates that globally $700 million is lost every month to BEC attacks.
Agari also reports that an ongoing investigation by its Cyber Intelligence Division, identified an international cyber-fraud ring that has bilked thousands of companies with BEC attacks and cashed out their booty often using gift cards, but with increasing frequency, paper checks. Dubbed Exaggerated Lion, the group is made up of bad actors spread around multiple African countries, including Ghana, Kenya and Nigeria.
The group uses Google's G Suite to maximize the number of phishing emails sent on any one day, Agari reported – 2,000 versus a limit of 500 a day using traditional Gmail accounts. BEC rings employ "mules" to cash out their frauds. The mules, who usually keep a fraction of the money for their efforts, can be witting or unwitting participants in the scams. Often, fraudsters enlist and manipulate individuals to be mules through "romance" or "work at home" scams, according to Agari and the FBI.
Agari said it handled 200 investigations involving Exaggerated Lion in the space of four months last year, and one thing that stood out was the group's use of physical checks to cash out pilfered funds The "low tech" use of paper checks for cash-outs requires a higher level of sophistication in social engineering techniques to dupe companies out of money and to get mules on board (often unwittingly), Agari stated.
Unwitting mules are the best mules, the company said, because they can be convinced to deposit the checks into their personal accounts, often under the auspices of helping someone receive a large inheritance, and pass the proceeds on without question. Since the accounts are legitimate, the scam is "almost undetectable" by traditional anti-money laundering controls that financial institutions use to detect suspicious activities, Agari said.
Between April and August 2019, Exaggerated Lion targeted at least 3,000 individuals employed by nearly 2,100 companies with BEC attacks, according to Agari. Most targeted employees were in accounts payables. Investigators identified 28 active money-mule accounts at various financial institutions. Healthcare companies have been among the hardest hit, Agari said. Other vulnerable industry sectors include banking, manufacturing, retail and construction. Exaggerated Lion attacks have been identified in 49 of 50 U.S. states; companies in Nevada appear to be the only ones not yet victimized by this gang of cybercriminals.
"When you look at the loss numbers, business email compromise has a much bigger financial impact than other types of cyberattacks, like ransomware," said Crane Hassold, senior director of threat research at Agari.
In a 2018 press release, the FBI advised, "The best way to avoid being exploited is to verify the authenticity of requests to send money by walking into the CEOs office or speaking to him or her directly on the phone. Don't rely on email alone."
Now for some good news: banks are becoming adept at identifying fraudulent payments before they turn to losses, according to the American Bankers Association's 2019 Deposit Account Fraud Survey.
The biennial ABA survey, which has been tracking fraud data since 1993, measures fraud attempts against bank deposit accounts involving checks, debit cards, bill payment, P2P payments, wire transfers and ACH transactions.
"Banks continue to take extraordinary efforts to protect and safeguard customer accounts," said Rob Nichols, ABA president and CEO. "As fraud schemes become increasingly more sophisticated, this survey demonstrates that banks are meeting the challenge by investing in equally sophisticated fraud prevention systems and constant vigilance by dedicated employees."
The survey, which sampled 151 FIs of varying sizes, identified check fraud and debit card fraud as the two biggest types of fraud against deposit accounts. Check fraud resulted in $1.3 billion or 47 percent of losses, closely followed by debit card fraud losses at $1.2 billion or 44 percent of the total. The remaining 9 percent of losses ($265 million) involved bill payment, P2P transfer, wire transfer and ACH transactions.
Not surprisingly, most of the losses from debit cards came from card-not-present transactions. Fraud related to counterfeit cards fell to 25 percent of total debit card losses in 2018, from 47 percent two years earlier. CNP debit card losses grew from 30 percent of the total in 2016 to 42 percent in 2018, the ABA said.
Attempted check fraud in 2018 totaled $15.1 billion, accounting for 60 percent of all fraud attempts against deposit accounts, the ABA noted. But banks' check fraud prevention measures succeeded in identifying a whopping 91 percent of those attempts. Counterfeit checks and forged signatures were two of the leading categories of check fraud identified.
Patti Murphy is senior editor at The Green Sheet and self-described payments maven of the Fourth Estate. Follow her on Twitter@GS_PayMaven.
The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.Prev Next