A Thing
The Green SheetGreen Sheet

The Green Sheet Online Edition

June 13, 2016 • Issue 16:06:01

Insider's report on payments:
Email-related fraud threats grow

By Patti Murphy
ProScribes Inc.

For those of us who came of age with teletypes and mimeographs, the advent of the Internet and email was wondrous. But these wonders of technology have not come without costs. Take email, for example. What began as a convenient, low-cost way to communicate with family, friends, associates, clients and billers has evolved to a dumping ground for unwanted communications and fertile ground for fraudsters.

According to the Internet Security Threat Report, published in April 2016 by cybersecurity firm Symantec Corp., more than half of all emails across all industries in 2015 were spam, down slightly from 60 percent in 2014. At retail trade companies, spam accounted for 52.7 percent of emails last year; 52.1 percent of emails received by finance, insurance and real estate companies were spam. No company size is particularly vulnerable – spam is an equal opportunity problem, the report noted.

Retailers are the most at risk for phishing – one of the most popular types of Internet fraud. According to Symantec, one in every 690 emails received at retailing companies in 2015 were phishing attempts. At finance, insurance and real estate firms, phishing accounted for one in every 2,200 emails. Few, if any, spammers work alone, and the criminal enterprises they ally with have grown increasingly sophisticated, just like the technologies they exploit. For example, advanced phishing kits trade online for between $2 and $10 and require little technological savvy to operate, the Symantec report noted.

Huge losses reported

The FBI keeps track of such fraud through the Internet Crime Complaint Center, which it operates. The bureau recently revealed that U.S. businesses lost more than $263 million as a result of 7,838 reported business email compromise (BEC) attacks in 2015. While they were fewer in number than other types of Internet-related fraud, financial losses from BEC attacks dwarfed the total of all other reported Internet crimes combined, according to the FBI.

For example, the FBI said it fielded nearly 22,000 complaints involving identity fraud that triggered $57 million in losses in 2015. Reported Internet-related credit card fraud losses totaled $41 million that year, and corporate data breach losses amounted to about $39 million, according to the FBI's Internet Crime Report, published in May 2016.

Not included in the BEC numbers are what the FBI labels email account compromises (EAC). The FBI makes a distinction between BECs and EACs, explaining the latter targets the general public as well as financial professionals (for example, those working as lenders, realtors and lawyers). The FBI said it fielded 281 complaints about EACs in 2015 and that losses from those fraudulent emails totaled about $11 billion. These numbers likely understate the problem, however, since they only represent losses reported to the government.

The state with the largest number of individual and corporate victims of email fraud was California (14.53 percent), the FBI reported. Florida (with 8.47 percent), Texas (7.67 percent) and New York (6.30 percent) had the next highest numbers of victims.

The United States also stands out among other countries, as it was home to over 80 percent of Internet crime victims worldwide in 2015, according to the FBI. Just 2.47 percent of Internet crime victims worldwide were in the United Kingdom, which ranked second among countries with the most victims of Internet crime; Nigeria (with 2.2 percent), China with (1.91 percent) and India (1.46 percent) round out the top-five list, the FBI said.

BEC scams loom large

The FBI reported that BEC scams began to surface in 2013 and are an offshoot of traditional phishing attacks; however, these scams target finance staffers and others with access to company purse strings. The scammers go to great lengths to engender trust and legitimacy – sometimes posing as top company officers – complete with realistic looking spoof email headers, signatures and other details.

The goal: to trick victims into transferring large sums of money as part of a new (bogus) acquisition or supplier relationship. The FBI said BEC scams have resulted in fraudulent transfers flowing to bank accounts in many countries, "with a large majority travelling through Asia."

In the threat report cited above, Symantec stated, "The social engineering involved in these phishing attacks is more sophisticated and targeted. They not only send generic scams to large numbers of people, but seek to develop ongoing relationships, validate access to company information and build trust." This requires research and reconnaissance, reviewing social media profiles and the online activities of targeted individuals in order to learn about their jobs, co-workers and the organizational structure.

Any business would err to think today's sophisticated security technologies and controls will shield them from phishing attacks, as long as they "rely on the capability of its employees to detect advanced and targeted phishing campaigns," Symantec said.

Mia Papanicolaou, Chief Operating Officer at Striata Inc., agreed. Striata is a technology company that specializes in software and document security solutions. Papanicolaou described email as "a powerful channel" and also an "enabler" of bank account takeovers. "You can invest in the best technologies, but if you're not educating [staff and customers], you're going to have massive problems," she said in a recent interview.

Papanicolaou recommended "regular audits across the board" to ensure all staff and customers understand and can foil email-related threats before they become losses. Also, emailed documents should be encrypted and password protected. "This is of paramount importance," she said.

SIDE NOTE: Protective measures against cyber-scammers

Following are steps, gleaned from several sources, that businesses and individuals can take to protect against Internet scams, particularly BECs:

  • Install and maintain basic security protections, including firewalls, anti-virus software and email filters, and regularly check that web browsers and software employ the latest patches and updates.
  • Restrict use of company computers for personal purposes.
  • Verify any changes in payment instructions from vendors. This should entail maintaining hard-copy files of the names of contacts at vendor organizations who have authority to approve or conduct payments.
  • Limit the number of employees who have authority to approve or conduct wire transfers and other payments.
  • Use out-of-band authentication to verify transaction requests that appear to be from company executives.
  • Train employees to be suspicious of urgent or secretive requests, even those coming from seemingly known individuals.
  • Require dual approvals, especially for wire transfers, new trading partners, transactions involving new account numbers for existing trading partners, and funds that are destined for countries outside normal trading patterns.

end of article

Patti Murphy is Senior Editor of The Green Sheet and President of ProScribes Inc. She is also the founder of InsideMicrofinance.com. Email her at patti@greensheet.com.

The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

Prev Next
A Thing