"This Threat Appears to Be Growing": A Discussion of Business Email Compromise


Tom Heintjes: Welcome to another episode of the Economy Matters podcast. I'm Tom Heintjes, managing editor of Economy Matters magazine, and today we're visiting with Doug King. Doug is a payments risk expert in the Atlanta Fed's Retail Payments Risk Forum, and he also writes for Take On Payments, the forum's blog about the payment system in general. He recently wrote about business email and how it can be compromised, and since we all use business email it struck me as a great conversation to have for the podcast. So, Doug: thanks for being with us today to talk about your work.

Doug King: It's great to be here today.

Douglas A. King, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed, during the recording of a podcast episode.

Photo: David Fine

Heintjes: So Doug, let's start off by talking about how big a problem business email compromise is. Do you have any statistics that might grab our attention?

King: So it's great to be here to discuss a topic that very much warrants deep discussion, as it is a big and growing problem. And Tom, I do have some statistics around business email compromise—

Heintjes: All right, let's hear them!

King: And unfortunately, they are attention grabbing: according to the FBI, from October 2013 to May of 2018—so we're looking at an around four-and-a-half-year period—business email compromise, various strains of business email compromise, resulted in losses exceeding $12 billion.

Heintjes: Oh, wow!

King: In a recently released internet crimes complaint report from the FBI, 2018 losses alone were over $1.2 billion—and these are reported losses, so keep in mind oftentimes these figures are underreported, as businesses or organizations fear going public with their loss, or reaching out to law enforcement, because of embarrassment. Unfortunately, this threat appears to be growing and not going away any time soon. One recent report I read stated that business email compromise attacks increased by nearly 500 percent year over year between the fourth quarter of 2017 and the fourth quarter of 2018. All in all, in 2018 we saw the average loss due to business email compromise scams at over $64,000.

Heintjes: That was the average.

King: The average, for each incident.

Heintjes: That's astonishing. I mentioned earlier that you work in the Atlanta Fed's Retail Payments Risk Forum. Before we get more deeply into this topic, can you just take a moment to give us a little framework to discuss what you do in the forum and how business email compromise fits into that overall mission—and, I guess in general, why is this something the Fed pays such attention to?

King: So my responsibility, as a payments risk expert here at the Atlanta Fed's Retail Payments Risk Forum, is to research risks associated with existing and emerging payments, in light of a rapidly changing payments environment—and then educating the payment industry participants on these risks and ways to mitigate them. And business email compromise, based on the statistics I just shared with you, is really top of mind for me as I think about fraud and risk in payments today. I've had countless conversations with banking and real estate professionals about the need to educate on this type of fraud. Heintjes: I imagine it's easy to get their attention right now. King: Absolutely. But while there are a lot of educational materials out there—most notably from federal law enforcement agencies, such as the FBI and the Secret Service—I'm really not sure that it's reaching the Risk Forum's primary audience of payment professionals with financial institutions and corporations. And then I feel quite certain it's not trickling its way down to employees of these institutions, or the general population at large.

Heintjes: Why do you feel it's not?

King: I don't feel the general public is looking to the FBI or to the Secret Service for these educational materials. Again, they're putting out great works—but I think ultimately, responsibility lies with the businesses, with financial institutions, with organizations such as our self, to get that message out. Education is critical to fraud prevention, and there really is no single entity responsible for that education, and business email compromise fits right into that, with other types of fraud.

Heintjes: Right, we'll touch on that more in just one second, so hold that thought in mind. But let me ask you about…you talked about businesses—of course, all businesses have employees. Are there types of employees who are likelier targets of this sort of compromise? Are people higher up, with more spending authority, the more attractive targets? Who is the low hanging fruit, in this situation?

King: You touch on a pretty fascinating question, as I think we'll probably get into today, but no doubt if you had asked me that three or four years ago, it would absolutely be C-level executives—and when I say, "C-level executives," mainly the CEO and CFO—and their email accounts were really the primary targets. But unfortunately, we've seen changes to that.

Heintjes: Can you describe them?

King: Certainly. So with business email compromise, for the fraudsters—based on the statistics I shared with you—the targets have grown significantly beyond the CEO and the CFO, or C-level executives. Now finance and treasury individuals are being compromised, and human resources employees with access to W-2 information are primary targets. The scheme has even extended beyond what we would consider businesses, per se, and now includes other industries, with real estate attorneys being a huge target. And then the scheme has even trickled down to the individual level—hence why some are now calling this type of fraud "email account compromise," because it is no longer limited strictly to businesses. And in fact, my father-in-law was a victim of email compromise, and I was on the receiving end of an email requesting iTunes gift cards for an immediate need. Being well aware of the scheme, I luckily didn't fall for it and notified my father-in-law immediately to let him know what was going on.

Heintjes: So it's not only those in the C-suite anymore who need to be mindful of this type of fraud. Doug, I want to get down into the weeds a little bit with you—how does a business email compromise scheme work? Is there a general pattern or approach that defines the compromise scheme—or is it misleading to even talk about a "scheme," when there might be multiple types of schemes?

King: So I'll try to stay somewhat out of the weeds. [laughs]

Heintjes: Thank you.

King: There are multiple schemes, Tom, but I would say there's a pretty general approach overall, and it can be summed up with four parts: identify the target—who do the fraudsters want to compromise? Gain access to systems, gain access to emails. Once in those emails, or into the systems of the businesses, conduct surveillance of employee actions, company procedures, company policies. And then finally, execute the email scam, steal the funds, and retreat. So this can be a really long process, and I've heard stories of fraudsters being in systems for months before actually executing the ultimate business email compromise scheme, with the fraudulent dollars leaving that organization.

Heintjes: So they're sort of lurking within the system, without having been discovered yet?

King: Absolutely. And how they do that. Really, those first two steps—identifying the target and then gaining access so they can lurk within the system—really relies on social engineering, and by this I mean they will prey on a human's emotional weakness to earn trust of a victim, or of a confidant of that victim, to ultimately gain information or access.

Heintjes: So it's sort of a form of what we used to call "affinity fraud"?

King: Sort of, yes. For example, they might identify that an assistant to a CEO is a dog owner, and spends a lot of time volunteering with rescue organizations—and when I say "they might identify" I'm talking about the fraudster here, might identify. So the fraudsters might approach this assistant, seeking sensitive information about the company or CEO, and when that assistant is generally unwilling to share that information, the fraudster then explains a story about losing their beloved adopted dog recently, and preying on that emotional aspect of that assistant who they know has an affinity for dogs and taking care of these dogs. So just that one slip-up and that emotional plea can lead that assistant to saying, "You know what? I'm going to help this person out. Maybe I wouldn't generally, but this one time I will help them out." And unfortunately all it takes is that one time, to share a little information or to provide something that doesn't need to be disclosed. I should point out, too, that we've talked about, from the surveillance perspective, being digital—this is "email compromise. " But from a surveillance aspect, it's not always digital. It can also take place in the physical realm. There have been instances where fraudsters have used phones to gain access or learn about sensitive information, and there have even been cases where they physically made their way into the actual buildings of some of these target companies they're after.

Heintjes: Yes. You know, even here at the Atlanta Fed I've gotten calls from people trying to sell me toner cartridges and things like that, and when I ask them who they're with, they hang up on me—they don't want to go into any detail at all. But, yes—I've gotten those calls, too. You know, Doug, ever since email came on the scene it seems like bad actors have been trying to find ways to exploit it. Over time, how have those tactics changed? You've sort of touched on that a bit, but I want to drill down more deeply into that. Are there recent wrinkles they have adopted to try to compromise our accounts, our information, things like that?

King: So yes, we have touched on some of that, but I'll elaborate a little and just say that fraudsters are compromising, or impersonating, employees at lower levels than C-suite now, which I touched on. But they're also moving their attacks to vendors of companies. So rather than going after the CEO or the CFO per se, maybe they learn of a vendor that that company is dealing with while they have been perusing around that company, and they then think, "Well, it could be easier to go after the vendor, because their security controls in place aren't perhaps as stringent as this company we're looking at." So they'll impersonate the vendor in hopes of fraudulently stealing funds from that company.

And as I mentioned earlier, it's really taken off in the real estate space with closing attorneys and title professionals. Looking at the real estate example—I'll go ahead and share it with you—fraudsters spoof, or compromise, a closing attorney's email, prior to the actual real estate closing, and then they'll send out a message to the buyer that the funds for the closing should be wired to a new account than what they had originally been told. The client and their agent show up for the closing, only to find out that the funds were wired but they were never received. It's then that they realize, at the last minute, that the change to the wire instructions was fraudulent. And I know I, fortunately, have never been in that space, and hopefully you never have been. But I can only imagine the terror and the fear when you've wired a sum of money to purchase a home, purchase a piece of property, only to find out that it was wired to a fraudster.

Heintjes: Sure. So it's not really enough just for company "A" to be super-vigilant—any company that company does business with is a potential weakness, if they're not super-vigilant too.

King: Absolutely, and ultimately every company, every organization—anybody with email—and email, as you touched on, is not going away, we all use it in our personal lives or for work—has the potential to be a target.

Heintjes: Well, Doug, in doing some homework for our conversation today, I was reading some case studies—maybe I should call them "cautionary tales" in this case—about business email compromise, and I wonder if you could discuss the particulars of some of those case studies.

King: Yes, I would be happy to, Tom. Were there any in particular that crossed your mind, that you came across?

Heintjes: Well, you wrote about some, or in a presentation you did, and I thought they were intriguing.

King: Okay—maybe Mattel?

Heintjes: Right, Mattel.

King: Mattel really is the quintessential case, or perfect example, of a business email compromise. So what went on there is, prior to actually performing the fraudulent transfer, the fraudsters spent time mining social media and the internet for names of key individuals and ultimately trying to determine whose email account to compromise. They were able to compromise the CEO of Mattel's email, as well as spend time within Mattel's systems to understand how do transfers work, how do they transfer money between organizations. And then on April 30 of 2015, they struck, and how they struck was, they sent an email from the CEO's email account to a high-ranking finance employee requesting a $3 million payment to a new vendor in China. Now, a payment to a Chinese vendor was nothing out of the ordinary for Mattel. They've got a large presence in China and actually were growing rapidly over there. So the finance executive, upon receiving this email, didn't suspect anything wrong with the request—even though a new vendor was involved—and at Mattel, transfers require approval from two high-ranking employees. Well, the CEO serves as one of those high-ranking employees, as does this finance executive.

So again, nothing out of the ordinary there, and the finance executive completed the transfer. Well, later that day, when the finance executive and CEO see each other, she informed the CEO that the transfer he requested was made, and the CEO was kind of stunned, thinking, "What request for a transfer did I make?" And he had not made one—it was the fraudsters who had compromised his email account that had directed that transfer. But there is a bit of good news here to this story.

Heintjes: Oh, good! I like a happy ending!

King: Mattel ended up getting very lucky. I learned, as I was researching this case, that May 1 is Labor Day in China, and so banks are closed. And so with help from the FBI and Chinese law enforcement and banking officials, Mattel was able to recover the funds, because they had an extra day.

Heintjes: Okay, that is a happy ending. It's nice to have one of those now and then. Doug, you mentioned that sometimes even the biggest of tech's "big boys" can sometimes get fooled. Can you tell us what happened with Google and Facebook? I was reading some of your work researching those situations.

King: Sure. So with Google and Facebook, a fraud ring was responsible for stealing over $100 million between 2013 and 2015 through a business email compromise scheme—but this was along the lines of vendor impersonation, which I had touched on earlier. So what the fraudsters did here was, they actually incorporated a company, posing as an actual company that the two tech giants did business with. Then they used fake email addresses—so there was not an actual email compromise, it was a spoofed email address here—that looked to be legitimately from the actual vendor, to send fake invoices to treasury employees at Google and Facebook who are responsible for paying these invoices. Well, both Facebook and Google, as we could all expect, regularly conduct multimillion dollar transactions, and they did so with this company, so that invoices—when they appeared in these individual's emails—didn't really appear suspicious. And ultimately, as I touched on, over $100 million ended up being paid out to the bank accounts of the imposter company.

Heintjes: So we're talking real money.

King: Real money. But, again, there are some happy endings—and this is not always the case, and I'll share another one after this. But fortunately, Google and Facebook, according to news reports, recovered almost all of the funds that were fraudulently transferred out. But I would like to stress, Tom, that the fraud scheme is not just directed at big companies. Just last month a Catholic church in Cleveland, Ohio, was hit by a similar scheme. They were having construction renovation work done, and the construction company reached out after not having been paid for two consecutive months. Well, this Catholic church was kind of dumbfounded, saying, "We've paid invoices for the last two months." But unfortunately they had been paid to fraudsters who had fraudulently sent emails to the church, saying, "Here's where payment needs to be directed now—we've had a change of bank account."

Heintjes: So there's no happy ending to the story.

King: No happy ending. It's tough for any type of business or organization to have funds stolen. Stories such as this Catholic church really tug on you, as they're struggling to complete and finish this renovation work, which they were so excited about.

Heintjes: Sure, that is a tough story. Well, we've talked about a few different types of scenarios, and I want to ask you if you see common denominators among the compromising situations—is there a thread that runs through them that we can maybe divine?

King: So there are some common threads, but as we touched on, no situation's really identical, because of that social engineering aspect. Fraudsters spend time doing reconnaissance to learn the ins and outs of each organization that they attack. So these aren't necessarily blanket attacks where the bad guys are hitting thousands of companies at once. Instead, they're often spending weeks and months to learn their target organization's policies and procedures—who their vendors are, and how they interact with them. But there are some red flags or warnings to be aware of when it comes to this fraud that are pretty common throughout these types of schemes.

Heintjes: What might they be?

King: So usually the request for funds transfer is urgent, very time-sensitive, "we need to get this out the door immediately." The request for a transfer of funds often comes from someone who claims they'll be out of contact or unavailable after making the request—which then, the person who receives that thinks, "Well, I don't really have a chance to follow up with them, so I better get this done before they get back." And then the language of the email contains errors, perhaps, or is not in the standard context normally encountered with a funds transfer. But I will say, the fraudsters are getting much better with their context and with ensuring that their writings don't contain errors—very different than maybe emails that we had gotten five and ten years ago that were fraudulent. And then oftentimes, the email will request secrecy around the funds transfer—so "don't let anybody know about this, it's a secret transfer, we don't want other people within our organization to know about it—and we definitely don't want anybody outside the organization to know about this."

Heintjes: Right. So there are a few red flags to be aware of. Well, you seem to be deliberately drawing a distinction between business email compromise and other types of email scams maybe targeting individuals. Am I inferring correctly here that there's a different type of scheme at work?

King: There are absolutely distinctions between business email compromise and other types of email scams. We all remember the advance fee scams from the Nigerian prince, claiming we were entitled to some fortune or lottery winnings if we complied by providing the emailer with some information, which usually included our banking information, or perhaps even paid them some fee up front to receive this huge lump sum that we had won or come across. And then you've had the romance scams and emails that are designed to look like they come from a reputable source and try to entice you to click a link. These are generally phishing emails sent to literally millions of email accounts, with the hopes that someone will fall for the scam. And unfortunately, there are some that fall for those scams.

Heintjes: But these don't involve the months of laying the groundwork that you've been describing.

King: Correct. So the business email compromise scams are much more targeted—really known as spear phishing, compared to phishing. So when you think of phishing, you think of casting a net, where with spear phishing, you have that spear and you're going after that individual fish.

Heintjes: Right, very precisely pointed.

King: Right, so they are ultimately more believable. If you receive an email from a CEO who is traveling, and you know he's traveling, and you know you're doing business with a company in China, that is very much more believable than a story that you get from a prince in Nigeria saying, "Hey, you've won lottery."

Heintjes: Very much so. Well, I know that our own information security folks deliberately, and occasionally, send out bogus emails to see how we employees deal with them—whether we try to open them, whether we report them as bogus attempts, click on links, etc. Is this sort of testing of our own workforce something companies are increasingly doing to raise awareness and raise consciousness?

King: I don't have actual numbers, unfortunately, to share, but I really do think this type of testing, or drills, are becoming more common with companies and organizations. But testing really is only the beginning. For companies or organizations that engage in this type of activity, it is important to have procedures and policy in place to respond to those employees that fail the test, per se. Testing is only one piece, but providing that additional education to hopefully ensure that it doesn't happen again is vital to the effort. Oftentimes, additional training is required for failure, but I've even seen cases where, if there's been repeated failures from this type of testing or drill, that more drastic actions have been taken—all the way up to employee termination, after a certain number of failed attempts. As we touched on, there are serious consequences—and serious dollars—at stake here.

Heintjes: Sure. Well, let's consider a hypothetical, unfortunate, scenario. Say two seconds after you hit "send" or click a link, you realize you've been had. What then? What course of action is recommended?

King: And let's hope we're never in that spot, right?

Heintjes: Yes, absolutely.

King: But the first thing to do is to contact the originating financial institution—so that is the victim's, or whoever sent that email, their financial institution—and alert them that you recognize that you've sent a fraudulent transfer.

Heintjes: Sort of come clean.

King: Right. Request a recall or reversal, which is not always possible to do once a wire is out the door, as well as a "hold harmless" letter, or a letter of indemnity. From there, it really depends on where the money went and what the payment instrument used was. But for most of these business email compromise schemes, wire is the primary payment mechanism. And for wire, it depends on if you sent it domestically or internationally. And so for international transactions, there's something the FBI created called the Financial Fraud Kill Chain. To initiate this kill chain, the wire, as I said, must be international, and it must be for an amount greater than $50,000—which, for business email compromise scams, is generally the case. So the sender must initiate a SWIFT recall notice and contact the FBI within 72 hours of sending the wire. The sender also should contact the receiving FI as soon as possible, to identify the receiving account and attempt to place a hold on those funds.

Heintjes: So what you're describing is separate from the Financial Crimes Enforcement Network, or FinCEN, that we hear a lot about?

King: FinCEN is a part of this Financial Fraud Kill Chain initiative, as are other global organizations such as FinCEN. Now bringing it back home, to domestic transactions, the FBI has established the Internet Crime Complaint Center's Recovery Asset Team—and again, we have some good news to share here, because in 2018 they had a 75 percent success rate of recovering funds from reported fraudulent transfers.

Heintjes: That's pretty impressive.

King: It is, and so what the steps are there, is the victim needs to file a complaint with the Internet Complaint Center, and the form that they use needs to be filled out completely. From there, an analyst with the FBI works with the two financial institutions involved—the receiving and the sending institution—and the actual sender to recover the funds. But then once you get beyond the financial recovery piece, it's also important for corporate security teams to begin to identify where did this intrusion occur? If it was a true email compromise, you need to isolate that email, get that email under control, and ensure that the fraudster no longer has control of that email. Time is of the essence in all of this—and really, when it comes to the funds recovery. So as you touched on, the first thing when that two minutes—when you receive that, and think, "Oh, no," the first thing to do is start that recovery process to recover those funds.

Heintjes: Yes, acknowledge that you goofed up and deal with it.

King: Absolutely, and that's not always the easiest thing to do.

Heintjes: Yes, very much so. Well, we're nearing the end of our time together, Doug, but I wanted to ask you…if you were going to give me—and I think I know what you're going to say, but I'll ask anyway—if you were going to give me your elevator pitch for how to avoid falling for these business email compromise scams, what would you tell me?

King: So from a technical side, first—which, this would be more for the IT department…

Heintjes: Now, remember—this is an elevator pitch! [laughs]

King: Right. So rules need to be created that flag emails received from any outside domain. Something as simple as stating that "this is an external email"—this helps with the spoofed email addresses, but if an email account is actually compromised it won't help at all. But then from a "funds transfers" perspective, I think you need to authenticate all financial transactions through the use of dual-factor authentication methods. So when you receive that email, perhaps respond to that email, say, "got it," but then pick up the phone and actually call that person to say, "Did this request come from you?" Any changes that are received for any bank account information, directing funds be wired to a new bank account—confirm those changes in payment. Again, an email might not be the best source because it could be compromised or spoofed, so pick up the phone. If you're in the same building as the person, go to the office and say, "Did you make this change?" And then finally, we touched on conducting tests and drills. It's a great way to educate employees to better understand and better protect the company from this type of fraud.

Heintjes: Yes, I am increasingly a big fan of dual-factor authentication, so I appreciate your touching on that. I think that's a great advance.

King: And it can create some friction, obviously, because it's not just as easy as "I received the email, I'm going to send out this…" But when you're dealing with big dollar losses, I think it's very important to have policies in place that say, "We need to use dual factor authentication, above some certain financial/dollar threshold."

Heintjes: Sure, that bit of friction is well worth it.

King: Absolutely.

Heintjes: Well, Doug, you've given us—you've given me, and us—a lot to think about, and I'll remember this conversation when I sit down, and go upstairs and go through my inbox [laughs]. And I want to thank you for being on the podcast, and sharing all this important information.

King: It has been my pleasure to join you today. As I said, education is critical and it's always great to get this message out.

Heintjes: And I will further note that we'll have a link to your blog post about business email compromise so people can read more on this topic and take a deeper dive into what we've been talking about today.

King: Excellent.

Heintjes: And that's it for this episode of the Economy Matters podcast. As I always am, I'm Tom Heintjes, managing editor of the Atlanta Fed's Economy Matters. I hope you'll join us next month when I'll sit down with Melinda Pitts, an economist here at the Atlanta Fed, and a regular guest on the podcast. We'll be discussing some brand new research by her into the impact of driver's license restrictions on young people and their participation in the labor market. I hope you'll be here for it, and until then, thanks for spending some time with us.