How Business Email Compromise (BEC) Fraudsters are Targeting Your Town
Has your town recently announced a new development project? That’s great news, but there are people looking to take advantage of your town and put their hands on the funds your town set aside for the new project.
A Business email compromise (BEC) /E-mail Account Compromise (EAC) is a sophisticated scam targeting both businesses and individuals performing wire transfer payments. The scam is frequently carried out when a subject compromises legitimate business e-mail accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds.
In the 2018 Internet Crime Report by the Federal Bureau of Investigation (FBI), the agency stated that in 2018 alone, the Bureau received 20,373 BEC/email account compromise (EAC) complaints, racking up a total of over US$1.2 billion in adjusted losses.
And while BEC scams are not new, Matrix-IFS anti-fraud experts recently discovered a new Pattern of BEC scam you should be aware off.
In this scam, the BEC operators are looking to reroute funds from local towns to their construction Vendors by spoofing Vendor’s email and requesting to change bank account information.
The BEC scam consists of four stages:
1. Research
It’s a common thing for a lot of town to post online (On the City’s official web page) the Agenda and a summary of actions proposed and to be taken by the City Council. In this stage the BEC operators are looking for towns who are opening a bid for a construction project.
Ones one they found a potential target (town), the BEC operators will follow on any development regarding the dibs for the construction project. They’re especially interested in the Tabulation of Bids as those charts show which construction companies made an offer to the town and what are the budgets they’re requesting.
The BEC operators are waiting for the town announce the winning bid (usually the lowest one and the closest one to Engineer’s Estimate) before moving to the next stage.
2. Social Engineering and Email Take Over
One the winning bid is announced, the BEC operators knows:
- The name of the construction company.
- The budget the town has for the project.
- The estimated start date of the project.
In many cases, The Construction Company can be a small-medium “family owned” business, without a sophisticated security solutions and employee’s awareness to BEC scams.
The BEC operators will look for an employee from the accounting department and will try to spoof their email through keyloggers or phishing attack. Ones the access to the email is granted The BEC operators will move to the next stage.
3. The Request of Payment
Using the hacked email address, the BEC operators will send an email to the town with a request to change bank account information, providing a fraudulent mule bank account they just opened. Those requests are frequently sent with electronic invoices that contain correct information regarding the project, making the email appear credible to the recipient.
4. Wiring Out the Funds
Once the money hits the fraudulent mule bank account (usually as a wire/ ACH credit), the BEC operators will seek to wire the money out as soon as possible before the town, the construction company, or the financial institution send the funds.
Business e-mail compromise attacks are successful for two main reasons:
1. Insufficient security
2. Lack of employee awareness
Addressing both factors is the best practice against business email compromise scam.
Author: Alex Faivusovich
Sr. Business Analyst - Matrix-IFS
