Who Sent That Email?

Jeri owned a small rapidly growing manufacturing firm in the Midwest.  She had recently landed a contract to supply a major retailer with a newly developed product.  Production was beginning to ramp up, materials were being sourced and sub-contractors were being brought onboard.  Everything seemed to be working like a well-oiled machine until Jeri’s controller, Scott, stopped by the office.  Scott had been with the company for several years making a number of improvements in financial operations and reporting.  One of those had been greater use of electronic bill payment rather than using paper checks.  “Jeri,” he said, “I think we have a problem.”

Scott explained to Jeri that he had initiated a payment to a major supplier about 2 weeks ago.  Two days ago, the supplier had asked why they had not yet been paid.  Scott emailed the supplier a copy of the wire transfer confirmation.  Yesterday, the supplier’s CFO called Scott and pointed out that the payment had gone to a different company and account, not the supplier’s usual account.  Scott immediately contacted the bank to explain the issue and ask that the funds be returned.  Unfortunately the funds had already been wired out of the account and could not be recovered.

As Jeri and Scott investigated he recalled an email he received a few weeks ago from the supplier asking Scott to change the usual disbursement instructions to accommodate a redesign in the suppliers accounting system.  The email had been from the supplier’s controller and was identical in tone and voice as dozens Scott had received in the past.  Unfortunately, this time Scott, and the company, were victims of BEC, Business Email Compromise.

In BEC senior officers of a company or nonprofit organizations (including schools and churches) are specifically targeted.  The criminals set out to learn everything they can about those in a company who control its funds.  Their goal is to trick company officials into wiring funds to someone they trust and who they have done business with in the past.  However, this time the funds go to accounts controlled by the criminals.

Carrying out a successful BEC is difficult.  The first step is to gain access into the company’s computer network.  The criminals use malware such as viruses and Trojan horses as well as identity theft and other techniques until they get access to the network.  Once inside they will study how the company transfers funds, who the usual suppliers are and how communications between the company and suppliers takes place.   The criminals also learn how senior officers communicate with each other over email and messenger systems.  The schedules of company officers are also documented.

Once enough intelligence has been gathered the criminals pull the trigger.  In larger organizations an email purportedly from the CEO may be sent to a lower level finance employee instructing him or her to send a large dollar wire immediately to a certain supplier with exact sending instructions.  The email looks and sounds exactly like others from the CEO in the past.  Coincidentally the senior finance person may be travelling on that day and is not available.   The finance employee sends the wire as instructed.  In this case the email was not from the CEO and the recipient is not the supplier.  The instructions end up sending the funds into an account controlled by the criminals.  By the time someone in the company realizes that the funds were wired in error the criminals have already moved them out of the account and probably overseas.

There are some other techniques the scammers use to create the same outcome…fooling someone in the company into sending company (or employee funds) to the wrong account.  So what can you do?  First, contact the bank immediately and provide them the information so the account can be frozen.  Contact the FBI and the Internet Crime Complaint Center (www.ic3.gov) to report the theft.  These may or may not result in stopping the criminals.  However, prevention is always my preference.

Remember this equation:

P > I + FL + LR
Prevention is greater (better) than Investigation + Financial Losses + Lost Reputation

Some other preventative actions include:

  • Require a face to face or telephone confirmation with the CEO or CFO whenever a wire for more than a certain amount is being requested
  • Use your IT resources to set up email standards that flag emails originating from outside the company or where the “reply to:” address is different than the “from:” address

In crime as in war there is always a conflict between offense and defense. Do not let your defense fall behind.

If your company has been a victim of fraud let me know if you are willing to discuss it with me.  It would be helpful to other entrepreneurs to hear about real life examples of fraud, loss and recovery.

Close-up of Text

Let me know what you think………

Leave a reply:

Your email address will not be published.

Site Footer

Sliding Sidebar


Sign up here for timely news about fraud prevention.