Hacking

FinCEN BEC attacks report: Analysis

September 5, 2019 by Daniel Dimov

Introduction

The Financial Crimes Enforcement Network (FinCEN) is a U.S. government institution responsible for collecting and analyzing financial information with the aim of combating financial crimes. In 2016, FinCEN issued an advisory to financial institutions on business email compromise (BEC) fraud. On the 16th of July 2019, FinCEN updated the 2016 advisory.

In this article, we’ll examine the five main points of the updated advisory, namely, (i) the changes in the operational definitions of email compromise fraud, (ii) the inclusion of references to other victims of BEC, (iii) providing new information about the trends in the field of BEC, (iv) the insertion of a description of the business processes that are vulnerable to BEC fraud and (v) a detailed examination of the opportunities for information sharing related to BEC fraud. These five points are discussed in more detail below.

Changes in the operational definitions

In the updated advisory, FinCEN broadened the definitions of email compromise fraud in such a way as to include a variety of entities that may become fraud victims and a variety of payment methods that can be used to transfer funds to fraudsters. For example, the amended definitions cover not only wire transfers, but also cryptocurrency payments, the use of automated clearing house transfers and transfers of gift cards. 

The amended definitions may be included by financial institutions in their Anti-Money Laundering/Combating the Financing of Terrorism (AML/CFT) frameworks.

The inclusion of references to other victims of BEC

The updated advisory states that, besides companies, victims of BEC may also include governments, educational institutions and financial institutions.

BEC attacks on governments (both local and foreign) mostly target email accounts used to operate payroll bank accounts and pension funds. Such attacks mainly rely on sending emails which look similar to emails from trusted governmental institutions. The emails attempt to lure the recipient to initiate a payment transaction.

Although only 2% of all BEC incidents in 2017 targeted educational institutions, such institutions are subject to most high-value BEC attacks. This is because they regularly send and receive large sums of money, e.g., tuition fees, grants and endowments. BEC attacks on educational institutions usually include sending emails purporting to be from service providers working with the targeted educational institutions.

In most cases, BEC attacks on financial institutions involve sending emails that appear to be sent by employees of other financial institutions. For instance, the purported sender of an email may be the Society for Worldwide Interbank Financial Telecommunication (SWIFT). SWIFT operates a network allowing financial institutions all over the globe to exchange financial information.

Providing new information about the trends in the field of BEC

FinCEN also revealed information about the newest trends and developments in the field of BEC attacks. The report stated that BEC attacks occur most commonly in the sectors of manufacturing and construction (25% of the reported cases), commercial services (18% of the reported cases) and real estate (16% of the reported cases). 

Most BEC attacks involve initial transfers within the territory of the United States. Such transfers likely benefit from U.S. “money mule” networks. The term “money mule” refers to a person who transfers illegal funds on behalf of others. Mules are commonly recruited through advertisements for “money transfer officers” and “payment processing agents.” By using money mules, criminals are able to distance from fraudulent transactions. In most cases, the mule is paid a percentage of the transferred funds. 

The proceeds generated from BEC attacks usually end up in Turkey, Hong Kong, China, the United Kingdom and Mexico.

Discussing business processes that are vulnerable to BEC fraud

The report noted that BEC attacks rely on vulnerabilities in business processes in the fields of agriculture, education and real estate. For example, the vulnerabilities related to real estate processes include (i) the availability of detailed public information about real estate transactions, (ii) parties in real estate transactions sometimes communicate through email and (iii) communications related to real estate transactions often lack strong authentication processes.  

Opportunities for information sharing related to BEC fraud

FinCEN also reminded financial institutions that, under the USA PATRIOT Act, they may share information related to BEC fraud with the aim to help other potential victims to identify and report activities related to money laundering or terrorist activity. The shared information may include, for instance, information about beneficiaries and perpetrators. By sharing such information, financial institutions will warn potential victims of BEC fraud about the fraudulent nature of communications purporting to be from certain legitimate entities. 

Taking into account that fraudulent vendor invoices are the most commonly used BEC methodology, such warnings may be particularly helpful to prevent BEC fraud. Information sharing will become even more important in the future as the number of BEC attacks based on fraudulent vendor invoices increases steadily. In 2017, 30% of all BEC incidents were related to fraudulent vendor invoices. In 2018, the percentage was 39%.  

Conclusion

In its updated advisory, FinCEN provides more guidance on how to identify and address BEC attacks. Thus, FinCEN hopes to reduce the growing number of successful BEC attacks. 

According to the Federal Bureau of Investigation (FBI), BEC attacks led, at a global level, to losses amounting to more than USD $12 billion between October 2013 and May 2018. Such losses have a significant impact on the affected individuals, companies and governments. To mitigate the negative impact, FinCEN created the FinCEN Rapid Response Program in 2014. It succeeded in recovering more than USD 500 million. The program allows FinCEN to rapidly share information with financial intelligence departments of more than 164 jurisdictions.

 

Sources

  1. Manufacturing and Construction Top Targets for Business Email Compromise, FinCEN
  2. Updated Advisory on Email Compromise Fraud Schemes Targeting Vulnerable Business Processes, FinCEN Advisory
  3. FinCEN Unveils New Efforts to Combat Widespread Business Email Compromise Fraud Scams As Losses Reach $300 Million Per Month, Fox Rothschild LLP
  4. This is how much email scammers are now costing businesses every month, ZDNet
Posted: September 5, 2019
Daniel Dimov
View Profile

Dr. Daniel Dimov is the founder of Dimov Internet Law Consulting (www.dimov.pro), a legal consultancy based in Belgium. Daniel is a fellow of the Internet Corporation for Assigned Names and Numbers (ICANN) and the Internet Society (ISOC). He did traineeships with the European Commission (Brussels), European Digital Rights (Brussels), and the Institute for EU and International law “T.M.C. Asser Institute” (The Hague). Daniel received a Ph.D. in law from the Center for Law in the Information Society at Leiden University, the Netherlands. He has a Master's Degree in European law (The Netherlands), a Master's Degree in Bulgarian Law (Bulgaria), and a certificate in Public International Law from The Hague Academy of International law.

In this Series
Related Bootcamps
Incident Response