Cyber Alert: Business Email Compromise Schemes Increasing

We’ve all heard the sad story: A transaction is about to close. The buyer is preparing to wire funds to the seller. Unbeknownst to the buyer, a hacker has hijacked the parties’ email communications to replace the wiring instructions with phony instructions to send the wire to the hacker’s bank account. The buyer wires the funds to the hacker. The buyer’s elation at closing the acquisition turns to panic when the seller reports a day later that it never received the wire.

According to the FBI’s Internet Crime Compliance Center (IC3), this scheme is known as “business email compromise,” and it’s on the rise. In its Internet Crime Report 2020, the FBI reports that it received 19,369 business email compromise/email account compromise complaints in 2020. How much was lost to hackers – $1.8 billion. The FBI IC3 Recovery Asset Team has succeeded in recouping some of these losses (see id. at 11), but the victims still suffer embarrassment, costs, and management distraction even if successful.

So, how do you avoid these schemes? The FBI reports that hallmarks include spoofed emails from counterparties and spoofed emails from the lawyers on the transaction. Other indicators include twisted domain names that change just one or two letters of the parties’ or counsel’s email domains and banks that are located in foreign countries or that differ from institutions previously discussed between the parties.

Deal closings aren’t the only transactions where you may see these hallmarks. The FBI reports that hackers use these same tactics to hijack payroll funds by spoofing emails from employees to ask for changes to direct deposits.

What is your best defense?

Here are four essential steps to avoid business email compromise:

1. Assume that unencrypted emails are unsecure. These are 99.9% of the emails you deal with.
2. Don’t use email to communicate financial account information or wire instructions. Call the other party to communicate the instructions. Separate wiring instructions from details about the amounts to be wired or descriptions of the transaction.
3. Never redirect a wire to a new bank without verifying the change in a phone call with the intended recipient. Call only a trusted phone number for the other party (not a phone number listed in an email, which may be compromised).
4. Take extra care to verify recipient and sender email addresses and domain names. Email spoofs and domain name twists are subtle and can easily be missed, especially on mobile devices that don’t always show the full email address.

What do you do if your funds get hijacked?

As soon as you recognize the transfer is compromised, the FBI advises:

• Contact your IT Department and cybersecurity insurer immediately to report the incident.
• Contact the originating bank to request a recall or reversal and a Hold Harmless Letter or Letter of Indemnity.
• File a detailed business email compromise complaint with the IC3. Make sure to complete all fields in the complaint form.

Outside counsel is also a resource for preventing fraud and recovery from it. Porter Hedges has assisted clients in reviewing their practices surrounding wire transfers and helped clients recover funds from wire transfer frauds.  We have also assisted clients in reviewing cyber insurance coverage and in making successful claims for cyber fraud losses under insurance policies. Please contact us to schedule a review of your policies and insurance coverage.

Finally, to keep updated on business email compromise trends and other cyber fraud schemes, visit the IC3’s industry alerts and public service announcements and the FBI’s Scams and Safety alerts. Awareness and vigilance are the first lines of defense.