A constant barrage of payment diversion fraud is hitting companies in Germany and around the world. The criminals’ modus operandi is to manipulate e-mail communication between companies so that Company A wires funds intended for Company B erroneously to a bank account controlled by fraudsters.
Currently, the perpetrators often pose as an existing supplier; in previous years they pretended to be an internal company officer, such as a CEO, CFO or other executive. These fraud schemes, collectively known as Business E-Mail Compromise (BEC), have become a veritable epidemic and are causing tens of billions of Euros in damages every year worldwide.
Below are the Top 5 errors companies make when dealing with BEC and our 5 Top Tips to deal with such an incident.
Background – Why is this happening? (You can skip this paragraph if you already know.)
Business E-Mail Compromise is a relatively risk-free crime, and the payouts can be enormous. It’s low risk because the perpetrators can easily hide in foreign countries behind layers of anonymous servers bought with untraceable cryptocurrency. The payouts vary from several thousand Euros to tens of millions of Euros per individual case. Many of the victims never go public to avoid the negative publicity, so they deal with it quietly.
The current surge in home office use is not exactly helping to prevent fraud either. With almost all communication being digital now rather than personal, some anti-fraud controls, like the dual control principle, are under pressure: It is no doubt easier to undermine dual controls when company workers are more physically isolated than ever before. Sure, they can pick up the phone or write an e-mail to consult co-workers about a message that seems “off” somehow—but do they, every time?
As for the criminals behind this scheme, they are mostly not even cyber-criminals, i.e. hackers. Why? Because their approach is simply a type of social engineering: they manipulate people into doing something against their own interests, a modus operandi that requires no IT skills whatsoever.
Business E-Mail Compromise is therefore not an IT security issue that corporate IT departments must solve. Instead, it is a fraud prevention issue, which is a responsibility of general managers, compliance/legal or internal audit departments.
TOP 5 ERRORS AND TIPS when dealing with compromised e-mails and payment diversions:
Our house bank will be able to get the wired funds back. Often, they cannot; except if the wire transfer happened no longer than 3 days ago. After that, the bank cannot recall the funds anymore. Discovering this type of fraud, however, usually takes longer than that. Go ahead and try to get your bank to recall the money, but do not wait until you hear back from them to take additional action.
The police/prosecutor’s office can help us. Most of the time, they cannot because the money transfer typically crosses international borders and such cooperation only happens in major investigation cases. Even the police in the receiving country will at first only take down your criminal complaint and file it until, weeks or months later, they begin investigating it, if at all. By that time, the perpetrators have usually cleaned out the bank accounts and the money is gone.
A few hours do not matter. Yes, they do. The quicker your organization responds to the fraud, the more likely it is that the funds are still sitting in the perpetrators’ bank account. Losing time through inaction can be extremely counter-productive. Please do not spend any time investigating the case “internally” before taking further action. When you suspect that there was a payment diversion, it is crucial to contact the receiving bank immediately (see Tips #1-5 below). To recap: First, sound the alarm. Then investigate internally.
Our standard procedures should have protected us from falling for this fraud. Internal employees occasionally override established procedures, sometimes for understandable reasons, to make a wire transfer go through. Other times, the procedures themselves had been designed faulty and could realistically not provide any meaningful protection.
The financial damage is regrettable, but we must go back to business as usual. Sure, that is an option—but a bad one. This kind of fraud can happen again anytime unless you make a concrete plan for securing financial transactions.
What do we do when a payment has been diverted?
Act immediately. As soon as you suspect that a payment was made to a fraudster, you should contact the receiving bank – even if the case has not been fully investigated internally yet. Either an internal employee or a professional security contractor who is experienced in these matters should contact the foreign bank. The best points of contact at the receiving bank are the Anti-Money Laundering Officer or the Fraud Investigation Department, depending on who is easier to reach.
Don’t give up. Contacting the right departments can be difficult with some banks because their contact details are not necessarily listed on their website. Making phone enquiries to get to the right person can be cumbersome because of language barriers and foreign accents. But keep at it! Once you have the right e-mail address or phone number, it is best to use them all simultaneously to save time. Inform the receiving bank about the “fraud & money-laundering incident“ and request to freeze the bank account immediately. Next, send them proof for the fraud allegation and file a criminal complaint with the police in the receiving country, if only to satisfy your insurance.
Is court litigation really necessary? Ask the bank’s AML officer or the fraud department how you can get your money back. In some countries, you have to file a civil lawsuit against the owners of the bank account, which is expensive and time-consuming. In other countries, there is a simpler procedure called “hold harmless”. It is an agreement between banks to minimize their liability when stolen funds are repatriated. Ask the bank about it.
Analyze the perpetrators’ e-mails. The difficulty of such a fraud is that the defrauded company has to keep working with their supplier going forward but does not really know whether the supplier’s e-mails are authentic now or still being manipulated. Especially if the supplier’s own e-mail system has indeed been compromised, which is not uncommon. In that case, the e-mails’ meta data (headers) have to be analyzed on an ongoing basis: the criminals, being in a different location than the supplier, will be using a different technical infrastructure to send their fraudulent e-mails than the real supplier does. Identifying this “fingerprint” in the meta data is important going forward to differentiate legitimate from fake e-mails, so that business may continue safely.
File criminal complaints in countries that make sense. In some cases, it is helpful to involve police investigators in foreign countries if they have special capabilities or resources. What you need is a good reason to use that particular jurisdiction. For instance, where did the fake e-mail domains originate, what telecommunication companies were involved, what currency and banks were used for the fraudulent wire transfer? We can tell you from long-standing experience in what countries it may be beneficial to involve police agencies and can facilitate contact with them.
Has your company been defrauded through a payment diversion or fake CEO scheme, or would you like to increase security in your invoice payment processes? Contact us.
Proxy Holder and Head of Investigations & Fraud Prevention | White-Collar Crime
+49 89 599 88 75 80