Case Study: Apartment Owners Wire Over $1 Million to Hackers in Business Email Compromise (BEC) Fraud



Their Story

On October 17, 2016, Fifth Third Bank customer ABC Apartments received an email from one of its vendors which had recently performed some work at one of ABC’s properties. The message provided new bank account information, and requested that ABC route any new payments to the vendor’s new bank. The vendor also included an invoice for its latest work to date. 

ABC’s accounts payable team proceeded with its usual payment process, and scheduled a wire transfer of more than $1,000,000 to cover the invoice. Because of the large amount involved, a Fifth Third Bank employee noticed the payment, and called ABC to verify that their team had ordered the transfer. ABC confirmed that it had.

Two days later — on October 19 –  an ABC employee called the vendor to ensure that the wired payment had been received. The vendor’s response came as a shock: They had no evidence of the wire payment being received, and they had definitely not set up new bank accounts. ABC Apartments had been conned with business email compromise.

Taking Action

As soon as they discovered the fraud, ABC immediately reported it to its Fifth Third Bank Relationship Manager, who quickly escalated the issue to the Fraud in Progress department. Luckily in this case, the Fifth Third Bank team made a full recovery of the funds on October 25, just a few days after the fraud occurred.

What really happened?

Neither ABC Apartments nor its vendor was aware of what was going on behind the scenes. In reality, the vendor’s email system had been hacked. The hackers had sent an email through the vendor’s address, and funds were ultimately sent to a fraudulent account.

NOTE: Fraudulent emails with updated bank account information don’t always include an attached invoice. In some cases, fraud perpetrators send new account details, then simply wait for the vendors to submit real invoices to their clients. 

Lessons Learned: Minimizing Risk

It’s hard to fault anyone in this situation. For most companies and their employees, this story represents business as usual. Email is, quite simply, the most efficient way to conduct billing. And many businesses like ABC use wire transfers for their payments — which is why this type of fraud is one of the most commonly seen today. However, since your bank can only act on your direct instructions, know that it is your obligation to implement internal checks and balances to help avoid these types of fraud.

FACT: According to Ellen Oliveto, an FBI analyst assigned to the IC3, “The average loss to Business Email Compromise victims is $130,000.”

How you can create a better process:

  1. If a vendor tells you via email that they have new bank account information, always follow up with a phone call to a known and trusted contact at the company, to verify that information. 
  2. Establish an amount that is an acceptable risk to your business. For some, that may be $1,000. For others, it may be $20,000. Create a process where, for any invoice over that amount, your payables team will make a phone call to a known and trusted contact at a vendor’s company, to authenticate and ensure invoice accuracy. And make sure these calls are made before a payment is ordered.
  3. Establish dual control over payment processing, so that one person in your company requests a payment, and another verifies and processes it.
  4. Protect your computers from malicious programs by using anti-virus and anti-spyware software, as well as a firewall. Keep these programs up to date. If your company has one or more Internet sites, it is recommended that you incorporate intrusion detection and vulnerability management.
  5. Proxy your internet traffic to limit user access to malicious sites and to potentially block malicious software from communicating with a Trojan controller should malware make its way onto one of your company’s computers.
  6. Install browser protection software that automatically protects websites when user signs in and exchanges sensitive information, such as financial information or sensitive data. Several banks offer this software free of charge.
     

“Had this error gone unnoticed for a longer period of time, the outcome might not have been so good,” says Brendan Smith, Manager, Commercial Fraud Risk at Fifth Third Bank. “Hackers rarely leave funds sitting in an account even for two days, as they did in ABC’s case. If the money had been spent or delivered overseas as soon as it was stolen, our chances of recovering it would not have been very good. And these cases are doubly hard on those being conned, because the error is a simple hack, followed by several people dutifully carrying out the jobs they do every day. Since it’s not the result of any faulty technology on either of the affected banks’ parts, the loss from this type of fraud is permanent. Which is partly why it’s such a popular way for hackers to steal."