Business Email Compromise and Vendor Impersonation Fraud, through stealing either a business’s email credentials or by impersonating a legitimate business via email, phone, fax or letter, represents a risk to ACH Network participants even though the roots of this criminal activity are not in banking systems themselves. In other words, Business email Compromise and Vendor Impersonation Fraud are about compromised credentials or gaps in processes or procedures; not about a direct compromise of the ACH Network or other payment systems.
With Business Email Compromise, legitimate business email accounts are compromised and used to send payment instructions to personnel authorized to conduct financial transactions for the business. The criminal entity will often compromise one of the businesses’ officers and monitor their account for patterns, contacts and information. The criminal will often wait until the officer is away on business to use the compromised email account to send payment instructions. This makes the payment instructions more difficult to verify and, at the same time, seemingly more legitimate. The payment instructions will send money to an account controlled by the criminal.
In instances of Vendor Impersonation Fraud, criminals impersonate a legitimate vendor or contractor and contact businesses or public-sector entities requesting to update account information. Contact can come in the form of an email, telephone call, fax, or traditional letter. In each case, the vendor account information is updated with the account number and routing information of an account owned by the fraudster. When a legitimate invoice is received, the entity processes a payment to the criminal account resulting in a loss to the entity. Social engineering techniques have grown more sophisticated over time. Fraudsters may create email addresses that are similar to the actual email address making it difficult to spot; written correspondence may appear to be printed on legitimate letterhead or stationery.
Although any business entity could be the target of this form of social engineering, public-sector entities seem to be specifically targeted because their contracting information is typically a matter of public record. Fraudsters use information from such public records to impersonate legitimate contractors more convincingly.
Each financial institution should evaluate its risk profile with regard to Business email Compromise and Vendor Impersonation Fraud, and develop and implement sound business practices to mitigate the associated risks. Such a plan should be appropriate to the unique circumstances of the financial institution’s business and clientele. Examples of sound business practices for financial institutions include:
Likewise, each business or public-sector entity should evaluate its risk profile with regard to Business Email Compromise and Vendor Impersonation Fraud. Examples of sound business practices for businesses and public-sector entities include: