business email compromise scam

©2016 Guardian Analytics , Inc. Confidential & Proprietary

Business Email Compromise – Why it’s So Effective, and How to Prevent It


Guardian Analytics BEC Education Campaign

• Best Practices Kit• Unbranded materials you can use to educate your clients

• Materials for you and your teams• Detection• Conversations with clients

• Example of scams• Fraud Update on BEC

Guardian Analytics Best Practices Kitwww.GuardianAnalytics.com/BEC-‐FI

2

We’re providing materials for FIs to use internally and for them to use to educate business clients.


FBI Warning: Business Email Compromise

3

• Over 12,000 businesses victimized

• $1.2B in losses• Increase in 270% from January 2015 to August 2015

• Institutions experiencing their clients victimized with increasing frequency – many seeing clients hit daily!

Latest BEC impact


Different Forms of BEC

1. Business Email Spoof 2. Business Email Hack

Criminal determines attack pattern based on whose email they have (CxO vs Controller/Procurement)Focus on CxO

@Redllaw @Redlaw @Redlaw

3. Business Email Hack / Vendor Email, Invoice Spoof

Vendor

@vendorr

4

Fraudsters’ preferred attack scheme depends on which email account he’s able to compromise.


1. CxO Masquerading – Domain Spoofing

1. Business Email Spoof

@Redllaw

FinanceStaff

Create new lookalike domain (Redllaw vs. Redlaw)

Who to targetAnd impersonateBest messageResearch Target Business and Person(s)

General informationPersonal informationCustomers/partnersCompany news

FundingProducts/patents

Travel plans

5

Fraudsters use publicly available information to learn about the company and who they will impersonate to make the emails very believable.


Monitor CEO email

2. Business Email Hack – CEO Masquerading

6

2. Business Email Hack

Email Takeover

Phishing

Social Engineering

Breaches

Malware

• Relationships• Common phrases• Business activities• Typical transactions• Calendar/travel

@Redlaw

• Move• Delete• Auto-‐forward

Hide email traffic using rules

FinanceStaff

Fraudster studies CEO’s prior emails to make the fake email consistent with style, tone, and wording.


Criminal “Payload” is Changing

7

FinanceStaff

Wire Payment

Employee/W2 info

Finance / HR Staff

Wire Fraud

• Identity theft• Tax fraud• New account

fraud

Criminals are expanding on the success of BEC to date, now asking for complete W2 files.


Monitor victim email

VendorsVendor email trafficRelevant “jump in” pointInvoices

3. Supplier Masquerading – Hacked Internal Email

Email Takeover

Phishing

Social Engineering

Breaches

Malware

@Redlaw

@vendorr

3. Business Email Hack / Vendor Email Spoof Spoofed

Invoice

New supplier lookalike domain

Use CC to fake conversations

about the invoice

Vendor

• Move• Delete• Auto-‐forward

Hide email traffic using rules

8

Fraudsters study vendor emails & invoices to make attack as consistent as possible with prior invoices.


Criminals Use Simple and Complex Schemes

EmailFrom: CEO

Subject: Need your help – pls keep it quietTo: Dave, Controller

Message:Dave,Can you please wire $56,000 to this company. I’m in a meeting right now, but you don’t need any further approvals.If you have questions, please reply to this email. Your prompt attention to this is critical.

Thanks,CEO

EmailFrom: Vendor

Subject: Invoice – New ProcessTo: Finance, Accounts Payable

Message:

Please find attached our latest invoice for the past billing period. Also note that we are implementing a new payment process. Instead of how you have previously made payments, please wire the funds directly to our account. Here are the wire instructions:Routing number: xxxxxxxxxxAccount number: xxxxxxxxxx

EmailFrom: CEO

Subject: Confidential – Attorney will callTo: Dave, Controller

Message:Dear Dave,

I would like to bring you in on something very important, but highly confidential. I would appreciate your timely support as well as your discretion, as we are not ready to tell the whole company about this –we are in the process of acquiring a company overseas. This is very strategic to our business.

I’ll be connecting you with a lawyer in London who is brokering this transaction for us. He will provide payment instructions for you.

I’m handing this project to you because I know I can trust you.

I’ll check in with you periodically.Thanks, CEO

Simple Request§ Relies on urgency and unavailability

Complex Story§ Relies on secrecy, sense of importance§ Can result in multiple payments

9

Schemes are tuned to increase credibility and decrease likilhood of victim catching on.


Spoofed Vendor Payments Seen in ACH

10

EmailFrom: Vendor

Subject: Invoice – New ProcessTo: Finance, Accounts Payable

Message:

Please find attached our latest invoice for the past billing period. Also note that we are implementing a new payment process. Instead of how you have previously made payments, please wire the funds directly to our account. Here are the wire instructions:Routing number: xxxxxxxxxxAccount number: xxxxxxxxxx

Traditional: Wire

New: ACH

We’re seeing further adaptation of the scheme to be consistent with prior vendor invoices.


Same Day ACH – Good Target For Criminals

11

• Prey on urgency/immediacy• Hard to detect amidst larger ACH volumes• Same Day ACH likely to replace some wire volume

ODFI

ACH Files

Morning Same Day Submission

Afternoon Same DaySubmission

StandardSubmission

Same DaySettlement

Fraudsters will likely increase the use of ACH to take advantage of the speed of Same Day settlement.


BEC Victim Trends

• Variety of business types under attack• Title companies• Consulting firms• IT providers• Legal services

• Tend to have higher transactional volumes • Businesses victimized multiple times

• Multiple payments as part of one scheme• “Vendor” asking for multiple invoices• Multiple “vendors” (one business hit 7 times)

• Transportation• Food service• Banks!

12

We’ve seen a broad range of businesses being victimized, and repeat attacks when they’re successful.


BEC Transaction Trends• Amounts

• Consistent with normal company amounts• Largest - $5MM• Average - $250K• Escalating amounts

• Case 1: $3K, $19K, $30K, $50K• Case 2: $8K to $80K

• Beneficiary FI and location• Mix of international and domestic • US - small CUs to largest banks• International – mostly Asia or Eastern Europe

• Beneficiary• Individual - 1/3 • Businesses - 2/3

• Trading and export• Products• Logistics

• Services• Catering

13

Criminals do their homework and keep amounts consistent with prior payments.


Global Distribution of Wire Destinations

Country % of incidentsUS 51.72%China 12.64%Hungary 8.05%Malaysia 5.75%Thailand 4.60%Hong Kong 3.45%Nigeria 3.45%Bulgaria 1.15%UK 1.15%UAE 1.15%Seychelles 1.15%Ukraine 1.15%Taiwan 1.15%United Kingdom 1.15%AU 1.15%Poland 1.15%

Attempted wires – volume of tx

14

The wide distribution of beneficiaries makes it difficult to detect fraudulent wires by monitoring for payments to specific destinations


Domestic Distribution of Wire Destinations

State% of incidents

FL 18.75%NY 9.38%IN 9.38%CA 9.38%TX 9.38%NC 6.25%AZ 6.25%GA 6.25%MI 6.25%SC 3.13%WI 3.13%MS 3.13%ID 3.13%CT 3.13%OH 3.13%

Attempted wires – volume of tx

15

Similarly for domestic wires, they’re widespread, risking high false positives for rules-‐based systems.


Impact of BEC Fraud On Financial Institutions

16

Increased alerts to try to detect

Increased callbacks

Increased volume & cost of recovery

Degradation in trust/experience

Reputation risk

Cost of Education

Increase inbank cost

Poor customer experience

Better fraud prevention can reduce

negative impact

Even though FIs are not liable for losses, they are hit with increased costs and damaged reputation.


Why Detecting BEC is Hard

17

New beneficiaries common (40% of wires to new beneficiaries)

BEC beneficiary FIs vary (domestic, international, banks, credit unions)

Spoofed CEO email

Spoofed supplier email

Legitimate user

(CFO or controller)

Online

Fax

Branch

Criminal beneficiaryor mule

Criminals do their homework on their targets and prey on urgency, sense of duty and importance

Legitimate user logs into online banking or requests the wire (legacy ATO detection methods don’t work)

BEC amounts within typical range of client wires

Fraudulent wires from BEC are hard to detect because requestors, process and amounts are consistent with prior wires.


Typical Fraud Detection Not Working

18

Detection Rates

Alert Volumes

Low

Low

High

High

Trust too little

Know when to trustKnow when NOT to trust

Trust too much

Over $100KAnd internationalAnd new recipient

Over $100KOr internationalOr new recipient

FIs are having to trade off volume of false positives with friction and success rates at detecting fraudulent payments. Guardian Analytics delivers high detection with low false positives.


Knowing When To Trust, When to Raise Risk

Learn each individual originator behavior over time to determine risk

Learn new recipient ratio, typical

beneficiary patterns (i.e. keeps false positives for title companies down)

Look to see if we can raise or lower trust of a

beneficiary

If multiple wires to same “bene” spread out, can raise trust

If many in rapid succession, less trustworthy

Use what we’ve learned from other

fraudMule

Match in mule database?


100+ Wire Attributes Analyzed

20

AddendaAddendaLength DisplayFields IntermediateFIName PaymentNotificationIndicatorAddendaInformation DrawdownCreditAccount IntermediateFIStateProvince ReceiverFINameAmount DrawdownDebitAccount OBI ReceiverFIAddress1AmountCurrencyCode DrawdownDebitAccountAdviceInfoAdditionalInfo OMADOutputCycleDate ReceiverFIAddress2BBI DrawdownDebitAccountAdviceInfoAdviceCode OMADOutputDate ReceiverFIAddress3BeneAddress1 ExchangeRate OMADOutputDestinationID ReceiverFICountryCodeBeneAddress2 IMADInputCycleDate OMADOutputSequenceNumber ReceiverFIIDCodeBeneAddress3 IMADInputSequenceNumber OMADOutputTime ReceiverFIIDBeneCountryCode IMADInputSource OrigAddress1 ReceiverFINameBeneFIAddress1 ImmutableCompanyID OrigAddress2 ReceiverFIStateProvinceBeneFIAddress2 ImmutableUserID OrigAddress3 RecurrenceBeneFIAddress3 InstructedAmount OrigCountryCode RepeatRequestBeneficiaryAdviceInfoAdditionalInfo InstructedCurrencyCode OrigFIAddress1 RequestIDBeneficiaryAdviceInfoAdviceCode InstructingFIAddress1 OrigFIAddress2 SenderFIBeneficiaryFIAdviceInfoAdditionalInfo InstructingFIAddress2 OrigFIAddress3 SenderFIAddress1BeneficiaryFIAdviceInfoAdviceCode InstructingFIAddress3 OrigFICountryCode SenderFIAddress2BeneFICountryCode InstructingFICountryCode OrigFIID SenderFIAddress3BeneFIID InstructingFIID OrigFIIDCode SenderFICountryCodeBeneFIIDCode InstructingFIIDCode OrigFIName SenderFIIDCodeBeneFIName InstructingFIName OrigFIStateProvince SenderFIIDBeneFIStateProvince InstructingFIStateProvince OrigIDCode SenderFINameBeneIDCode IntermediateFIAddress1 OrigName SenderFIStateProvince

BeneIdentifier IntermediateFIAddress2 OrigStateProvince SenderReferenceBeneName IntermediateFIAddress3 PaymentNotificationContactFaxNumber SettlementMethodBeneReference IntermediateFIAdviceInfoAdditionalInfo PaymentNotificationContactMobileNumber SourceBeneStateProvince IntermediateFIAdviceInfoAdviceCode PaymentNotificationContactName StatusBusinessFunctionCode IntermediateFICountryCode PaymentNotificationContactNotificationElectronicAddress Type_SubtypeDestinationType IntermediateFIID PaymentNotificationContactPhoneNumber SubTypeDirection IntermediateFIIDCode PaymentNotificationEndToEndIdentification TemplateNameDisplayFields TransferDateDrawdownCreditAccount TypeDrawdownDebitAccount WireID

We analyze 100+ aspects of client behavior. Risk is scored based on combinations of activities.


Guardian Analytics Wire Finds Unusual Wires

Would beneficiary be expected? (new beneficiary ratio, beneficiary and FI location/region)

Are the originator’s wire actions normal? (timing, velocity, type, accounts, direction, use of instructions, content of instructions)

Are the wires typical? (type, amount)

Originator Model

Wire Behavioral Analytics

Cross-‐institution risk data(Network effect)

Beneficiary Model

Is this a high or low risk beneficiary?(beneficiary history with other originators, name/ account number match, suspected mule)

Self learningNo rules to writeNot threat specific

Adapts to new threatAutomatic updates to analytics

100+ attributes from wire system

21

Our solution answers behavioral questions that indicate what is normal vs. suspicious behavior.


Real-time Risk Scoring and Intervention

22

WireSystem

Send to Fed

Review Alerts

Risk score and hold/release instructions returned immediately to wire system

Mobile

Branch

Contact Center

Online

File upload

InitiateWire

Wire comes in; payment fields immediately sent to Guardian Analytics

for analysis

9.2 2.2

Hold Release

Analyze 30+ fields and nearly 75 attributes

from PAYPlus

Release/cancel

Guardian Analytics Wire

Every wire is risk scored. Automatic release of low-‐risk wires allows analysts to focus their time on investigating the small number of high-‐risk payments.


Guardian Analytics Wire Successfully Detects BECAttack 1 Attack 2 Attack 3 Attack 4 Attack 5

Beneficiary FI AZ-based CU Large national

bankLarge national bank

LargeInternational bank

Chinese bank

Beneficiary Location

AZ (previouslysent wires to many states, and other countries)

NY (previously sent wires to TX, WI)

HongKong (had done US and UK wires in the past)

China(history of US wires only)

Beneficiary Individual Individual Individual Business Business

Originator Velocity

First wire in four months

OBI Frequency

Infrequent or new or use of OBI

Originator Amount

$39K $20K (most wires 0-‐$1000)

$73K $125K $2,871,000 $4,950,000 $4,850,000 $4,969,000

Originator Description

Frequent wire sender – IT Services Company

Frequent wire sender – Title Company

Sporadicwire sender – Legal Services

Frequentwire sender –Transportation Services

Frequent wire sender – Title Company

No one bank pattern – US/international, large/small, bank/CU

No one location pattern

Combination of business and individual

Mixed use of instructions

Amount often within range of typical behavior

Could be single or multiple hits

Attacks have a wide range of variation, making BEC attacks difficult to detect with rules.


Accurate Detection, Low Alert Volume

The combination of specific

attributes of this wire was unusual and untrusted,

and yielded a red alert

Guardian Analytics provides complete and consolidated view of account history


Accurate Detection, Low Alert Volume

The combination of specific

attributes of this wire was unusual and untrusted,

and yielded a red alertNote that behavioral

deviations are expected and do not yield red alerts (top

row)

Note the variation in wire amount did not trigger a false-‐positive

as FraudMAP recognized combined behavior as normal


You’ve Detected It – Now On To the Client…

• Be prepared with details, be prepared to spend time with the business

• Start like normal verification call; get customer talking

• Help them to see why you’re suspicious• Explain the scams• Probe into the situation – ask if they received the request via email, ask for key words• Push for non-‐email based confirmation

• Remind them you’re there to help

• Redirect the emotion – focus on the pain of the business losing money

26

Be prepared for what can be a difficult call with a victimized client.


Impact of BEC Fraud On Financial Institutions

27

Cost of Education

Reduced alerts

Reduced callbacks

Increased detection, less recovery

Increase in trust, enhanced experience

Decrease in costs

IncreaseIn Trust

By improving their ability to detect BEC attacks, FIs will reduce costs and increase trust.


Guardian Analytics Successes with BEC

Fraud prevented

$19M in two months

Efficiency gainsReduced reviews to only wires flagged by Guardian

Analytics, all else automatically processed

(50-‐100 wires/day)

Client experienceReduced callbacksReduction in alerts

freed time for deeper client discussion of likely

BEC attacks

Bank with ~4,000 wires per day

Fraud prevented

$500K in six months

Efficiency gainsPreviously held all online

wires (250/day) Guardian Analytics scores all 1500 wires/day, but holds only 75 from any channel, reducing bank

effort by 70%

Client experienceFaster processingFewer callbacks

(1-‐5/day)

Bank with ~1,500 wires per day

28


Guardian Analytics Wire Benefits

29

• Accurate detection with low alert rates• Reduction in false positives reduces overall workload and creates time for banks to spend with customers• Better client experience• Reduction of time spent on paperwork and funds retrieval• Reduced risk of lawsuits, reputation issues• Build deep client satisfaction and loyalty


Guardian Risk Engine

Solutions to Detect Fraud Across Channels and Transactions

Guardian Solutions

Guardian Enterprise API

Guardian Visual Analytics

We offer behavior-‐based solutions across channels and payment types, plus an API to incorporate proprietary data. The Risk Engine calculates risk scores that are presented through our visual analytics.


For More Information

• Email [email protected]• Request a one-on-one briefing

• Visit www.GuardianAnalytics.com• Sign up for a demo• Sign up for our monthly Fraud Updates

• Download BEC Best Practices• www.GuardianAnalytics.com/BEC-FI

• Watch the recording of this webinar• http://info.guardiananalytics.com/BECWebinar-Mar2016-reg.html

31


Business Email Compromise – Why it’s So

Effective, and How to Prevent It

Thank You!

business email compromise scam

Economy & Finance