FRAUD SQUAD

From Dream Home to Disaster: Business Email Compromise

Monday, September 9th, 2024

VIEW ALL FRAUD SQUAD ITEMS

Cyber security risk management solutions from DefenseStorm.

During the process of purchasing a house, newlyweds Lilah Jones and her husband were deceived into sending money to a scammer. The fraudster used the scam, Business Email Compromise (BEC), to pose as the title company. False wiring instructions were provided, leading the couple to transfer a $130,000 downpayment to a fraudulent account instead of the title company.

THE SCAM: During the process of purchasing a house, newlyweds Lilah Jones and her husband were deceived into sending money to a scammer. The scammer had infiltrated an email conversation with the title company and provided false wiring instructions, leading the couple to transfer the money to a fraudulent account instead of the title company. This incident, known as Business Email Compromise, put Lilah’s $130,000 down payment at risk, threatening the purchase of their dream home. According to the NASDAQ 2024 Global Financial Crime report, “In 2023, 67% of cyber-enabled scam losses resulted from Business Email Compromise (BEC), amounting to $6.7 billion in losses.”

THE SCHEME: Lilah Jones and her husband were newly married and, upon returning from their honeymoon in Puerto Rico, planned to begin the search for a house together. The search for the perfect house had been ongoing, but finally, after a few house-hunting excursions, they found it. The offer was made, and it was time to finalize the deal on their dream home. Though there was a considerable gap between the acceptance of their offer and the closing date, Lilah and her husband appreciated the extra time to get everything in order.

As the closing day approached, the family was excited; Lilah had everything packed and ready to go for herself, her husband, and her kids. But amidst the excitement, a storm was brewing. During the course of the discussions, Lilah reached out to the title company for information regarding the down payment. While they had spoken on the phone, the title company explained she would have to wire the money in person. She thought this was odd because she does everything remotely. Throughout the time she was speaking to them on the phone, she was also receiving emails from the company, who then told her she could expect an email with a password-protected document containing all the information from the title company and closing instructions, which would include the process and account to wire the funds. This made sense to her, so she waited for the email, but when she received it, Lilah was not able to open the document. Through email communication, the title company became almost demanding, pressuring Lilah to get the wire transfer done. So, Lilah called the title company. She was annoyed by their lack of professionalism and a sudden sense of urgency to send the money when she still had time before the closing. They never responded to the message she left. Additionally, this password-protected document would still not open, and she had no idea what the next steps were to wire the money. Lilah would never receive a call back. Instead, she received additional emails from the title company instructing her to open the document they sent with the password security removed, as it was causing problems, and to just wire the money. Lilah then sent the money, and they were ready for closing day.

Closing day arrived, but when Lilah and her husband sat in the office with the title company, they insisted that they never received the downpayment. “We didn’t receive any money,” the title company employee informed them. Panic set in. “I sent it,” Lilah insisted, pulling up the email with the instructions she followed. The 2nd title company representative took the phone and read over the email but then clicked a dropdown box. “That’s not from us,” he said. A sudden realization washed over everyone in the room – it was a scam. Lilah had been a victim of Business Email Compromise. The emails looked legitimate, with the proper logos and communication, but they were actually from a fraudster. She had wired $130,000 to criminals and would likely never again see a penny of it. The next moments were a whirlwind of emotion as Lila’s attorney became irate, asking how she could have fallen for this scam. Everyone in the room was seemingly incredulous that she had made this mistake. “I’ve got all these people looking at me like, how could you be so stupid?” explained Lilah. At that moment, they realized a harsh truth: no matter how efficient or prepared you might think you are, no one is immune to deception. The lesson was brutally clear—never assume it can’t happen to you.

*Lilah is working to recover some of the lost funds, but she will likely not recover it all.

Fraud Geek Explains:

Business Email Compromise (BEC) is a sophisticated form of cybercrime where scammers imitate the owner’s identity to deceive employees, customers, or partners into transferring money or sensitive information. According to the FBI’s Internet Crime Complaint Center (IC3), BEC scams accounted for over $1.8 billion in adjusted losses in 2020, making it one of the costliest forms of cyber fraud.

The most common ways people fall victim to BEC include phishing emails that trick recipients into revealing login credentials, social engineering tactics that manipulate individuals into performing unauthorized actions, and email spoofing where attackers alter email headers to make messages appear legitimate. Often, these schemes involve urgent requests for payments, changes in payroll information, or bogus invoices that appear to come from trusted sources. People who are engaging in business that require financial transactions or sensitive data are especially at risk because the constant flood of communication can be misconstrued as legitimate. This was the case with Lilah – she was expecting instructions regarding the wire transfer and inadvertently fell for the fake email.

Fraud Geek’s Advice:

Preventing BEC requires a multi-faceted approach, and the general public can apply the following to prevent falling victim to this scam:

  • Consumer Awareness: Stay vigilant for signs of phishing and verify the authenticity of emails. Look for subtle inconsistencies such as grammatical errors, suspicious links, or unexpected attachments. Always verify the sender’s email address to ensure it matches the legitimate domain.
  • Direct Confirmation: If you receive an email regarding a financial transaction, contact the institution directly using a known and verified phone number or official website. Do not use contact information provided within the email, as it may be part of the scam.
  • Secure Communication Channels: Use encrypted communication methods offered by the financial institution for sensitive transactions. Ensure that the website is secure (look for “https” and a padlock symbol in the browser address bar) before entering any personal information.

How Financial Institutions and Other Organizations Can Protect Clients from Business Email Compromise

To protect clients from BEC, financial institutions and other organizations can apply the following:

  • Educate clients on the signs and risks of BEC scams. These include unusual demands, shifts in email addresses, altered voices or images in communications, as well as discrepancies in the sender’s message. Clients should be made aware of how these scams operate and the potential consequences of falling victim to them.
  • Encourage clients to independently verify any requests for sensitive information or financial transactions, especially those marked as urgent or coming from unfamiliar sources. Verification can be done by contacting known contacts through a different communication channel, such as a direct phone call, to confirm the request’s legitimacy.
  • Implement stringent authentication and verification processes for both online and offline transactions. These might include multifactor authentication, biometric verification, and behavioral analytics systems to flag anomalies or irregularities in client behavior
  • Regularly monitor and analyze email communications for signs of compromise. Advanced threat detection systems can be employed to identify suspicious activities or red flags indicative of BEC attempts.
  • Create clear protocols for clients and employees to report suspected BEC incidents quickly. Having a rapid response team in place can help mitigate damage and prevent further loss.
  • Ensure that all systems are regularly updated and patched to protect against the latest vulnerabilities and attack vectors. Keeping software and systems current can minimize the risk of exploitation by cybercriminals.

 SOURCES:

2024 Global Financial Crime Report

https[:]//www[.]nasdaq[.]com/global-financial-crime-report

 Lilah’s Nightmare: When Business Email Compromise Jeopardized Her Dream Home

https[:]//www[.]youtube[.]com/watch?v=nrdyEhuR4ag