Case Study: University Suffers Business Email Compromise Fraud - Escapes Loss of Almost $1 Million
Fraudulent emails with updated bank account information may or may not include an attached invoice. In some cases, such as this one, fraud perpetrators send new account details, then simply wait for the vendors to submit real invoices to their clients.
A university was undergoing major construction work and were prepared to process large invoices on a regular basis throughout the duration of the project.
During the ongoing construction, the university’s payables department received an email they believed to be from one of its vendors — a construction contractor and Fifth Third Bank client. The message provided updated financial institution and bank account information, and requested that the university send future payments to the new account. Several days later, the university received an invoice they believed to be from the same contractor, for close to a million dollars.
The university paid the invoice, in full, via a wire transfer. Several days after the payment was made, the contractor reached out to the university to inquire about the payment status. University team members quickly realized they’d sent the money to somewhere it didn’t belong; they had been scammed.
As soon as they discovered the mistake, the university reported the Business Email Compromise (BEC) theft to Fifth Third Bank, and our team quickly escalated the issue to the Fraud in Progress department. Luckily, Fifth Third Bank was able to recover nearly all of the funds. Unfortunately, this isn’t always the outcome.
What really happened?
In keeping with common practice, many of the major contractors on the university’s construction project, including our client, prominently displayed their corporate brand banners at the job site, so passersby would know about their involvement.
Determined thieves watched work being completed and found a way to replicate the design of the contractor’s corporate emails, then created fake email accounts using appropriate contact names. The only difference: a minor, intentional misspelling in the sender’s email address – since the perpetrators were sending messages from an external system. Unfortunately, that variation went unnoticed by the university and employees processed payment.
The perpetrators used the fake address to send alternate payment instructions then waited for the actual contractor to send a legitimate invoice. They even called the university to confirm that the alternate payment instructions had been received. To university employees, nothing seemed unusual until they learned the contractor hadn’t received payment.
NOTE: Fraudulent emails with updated bank account information may or may not include an attached invoice. In some cases, such as this one, fraud perpetrators send new account details, then simply wait for the vendors to submit real invoices to their clients.
Lessons Learned: Minimizing Risk
Anyone in any business or organization of any size can experience this type of fraud. Thieves are sophisticated, and will go to extensive lengths to find businesses to prey on. In this case, they did due diligence to see that the university was in fact undergoing improvements, before targeting them for a significant amount of money.
FACT: Fraud perpetrators can learn who your construction vendors are through news articles, word of mouth, and even driving around to look for branded banners at construction sites. And because they can see the work going on, they have a good idea of when you’ll be expecting an invoice for a particular phase of work — from concrete pouring to electrical.
How you can improve on this process:
- Authenticate: If a vendor tells you via email that they have new bank account information, always follow up with a phone call to a known and trusted contact at the company, to verify that information. Treat every invoice as a unique situation and research even the most ordinary-looking invoicing occurrences. Keep a close eye on emails. Are the names of both the vendor company and its representative spelled correctly? Is there any variation as compared to their usual messages? If so, give them a quick call. Since your bank can only act on your direct instructions, it is your obligation to implement internal checks and balances to help avoid these types of fraud.
- Establish an amount that is an acceptable risk to your business. For some, that may be $1,000. For others, it may be $20,000. Create a process where, for any invoice over that amount, your payables team will make a phone call to a known and trusted contact at a vendor’s company, to authenticate the invoice and ensure invoice accuracy. And make sure these calls are made before a payment is ordered.
- Establish dual control over payment processing, so that one person in your company requests a payment, and another verifies and processes it.
To learn more, contact your Fifth Third Bank Relationship Manager or contact Fifth Third Bank at 1-866-475-0729.
“This is one of the most common types of fraud we see,” says Brendan Smith, Manager, Commercial Fraud Risk. “Thieves are taking advantage of normal business practices that occur often and people don’t think twice about. Individuals at all levels of business operations, and in all types of organizations, can easily fall prey to this sophisticated effort.”