Dear Board of Directors and Chief Executive Officer:
This alert describes the increasing frequency of and losses related to business email compromise fraud schemes. Credit unions can take steps to prevent this type of fraud and should report such fraud, when it occurs, to the FBI’s Internet Crime Complaint Center (opens new window). Credit unions that report incidents to the Internet Crime Complaint Center promptly increase their opportunity to recover funds that have been wired under fraudulent pretenses.
Business Email Compromise
Business email compromise occurs when a criminal uses email to impersonate a legitimate business or person in order to request or access fraudulent payments.1 Criminals may compromise a victim’s email address or domain, or use publicly available services to spoof this information.
Criminals impersonate people in a variety of industries ranging from real estate, law, religious organizations, and business vendors, and use email to initiate or redirect a wire transfer before a victim discovers the transaction. They also use social engineering, spoof business email accounts, or send fake links to further these types of schemes. They typically leverage a victim's authority to pressure a target into acting quickly or secretly when handling a transfer.
The FBI advises that business email compromise is a pervasive threat that can result in significant financial losses. Between October 2013 and May 2018, the FBI (in cooperation with financial, domestic, and international law enforcement partners) identified more than 78,000 incidents of domestic and international business email compromise.2
FBI Recovery Asset Team
The significant number of business email compromise fraud complaints and the associated losses prompted the FBI’s Internet Crime Complaint Center to create a recovery asset team in February 2018. The team’s goal is to quickly identify and freeze suspicious wire transfers before funds are transferred or removed from a suspect’s account.
The Internet Crime Complaint Center automatically transfers complaints that meet specific FBI guidelines to the recovery asset team, where they are evaluated for relevance and accuracy before the team contacts a financial institution to request funds be frozen in a suspect’s account.
The recovery asset team also acts on:
- Any crime that meets evaluation guidelines (not limited to business email compromise)
- Most fraudulent transactions, including ACH and electronic funds transfer (not limited to wire transfers)
- All domestic fraudulent transactions, including those that originate outside the United States
Between February 2018 and May 2019, the recovery asset team recovered more than $331 million from reported complaints, representing a recovery rate of approximately 76 percent. The team is very successful in recovering funds when complaints are filed quickly and accurately.
Prevent Business Email Compromise Fraud
Credit unions can take the following steps to help prevent business email compromise fraud:
- Never make a payment change without verifying the change with the intended recipient
- Verify the accuracy of email addresses when checking mail on a mobile device
- Use a two-step verification process to verify wire requests with members, and use information from previously known email addresses and phone numbers rather than what is provided in the wire transfer request
- Require staff to investigate and verify changes to members’ personal information or business practices of the credit union’s vendors or member business accounts
- Know the routines of members’ wire activity and contact them with any changes or concerns before sending a wire transfer
- Verify transaction details with the recipient bank before sending a suspicious wire transfer
- Use email spam filters to quickly identify potential fraudulent or spoofed emails
- Create rules in the credit union’s intrusion detection system to flag emails with extensions that are similar, but different to, your credit union or members
- Use caution posting information on social media and company websites, especially job duties/descriptions, hierarchal information, and out-of-office details
- Implement multi-factor authentication (MFA) for corporate e-mail accounts that requires at least two pieces of information to login (something a user knows, such as a password, and something a user has, such as a dynamic PIN)
More self-protection strategies are outlined on the United States Department of Justice’s “Best Practices for Victim Response and Reporting of Cyber Incidents (opens new window).”
Report and Recover Funds from Business Email Compromise Fraud
The NCUA strongly encourages credit unions and other victims of such fraud to file a complaint (opens new window) with the FBI’s Internet Crime Complaint Center as soon as they identify suspicious activity. Filing a detailed complaint that contains all required data in the provided fields can help the FBI pursue recovery.
Credit unions that identify business email compromise or a similar wire-transfer fraud scheme should also contact the originating financial institution as soon as possible to request a recall or reversal, as well as a Hold Harmless Letter or Letter of Indemnity. The NCUA also encourages such credit unions to file a Suspicious Activity Report with the Financial Crimes Enforcement Network (FinCEN).
If you have questions about this topic, please review FinCEN’s Updated Advisory on Email Compromise Fraud Schemes Targeting Vulnerable Business Processes (opens new window) and contact your regional office or state supervisory authority as needed.3
Rodney E. Hood
1 FBI Alert I-061118-PSA, Business Email Compromise Contributes to Large Scale Business Losses Nationwide (opens new window) (June 11, 2018)
2 FBI Alert I-071218-PSA, Business E-mail Compromise The 12 Billion Dollar Scam (opens new window) (July 12, 2018)
3 FinCEN Advisory FIN-2019-A005, issued July 16, 2019