Business email compromise and fraudulent instruction scams

BEC and fraudulent instruction are accomplished by either phishing an executive and using compromised email credentials or by spoofing a legitimate email address from a look-alike domain name. Either way, the intent is to induce an employee to act quickly to make a wire transfer, payment or transfer sensitive data to cybercriminals.

All employees involved with wire transfers should receive training on these scams, including the use of deepfake voices and videos and the procedures for handling internal wire transfer requests. It’s wise for employees to take a zero-trust approach due to the realistic nature of deepfake voices and videos.

These scams typically involve an executive-level employee’s email that has been compromised or spoofed through a phishing attack. The fraudsters create an email appearing to be sent from the executive to another individual within the organization requesting a payment — typically a wire transfer.

Fraudsters can also create a deepfake voice of the executive in live voice calls as well as voice messages requesting a wire transfer or create a deepfake video of the executive in video conference calls.

A few simple action steps that can help protect your credit union is to have employees confirm the legitimacy of the request no matter how they are received — by email, voice message, live voice call or in a video conference call — by verifying with the C-suite executive and authenticating the request using a different communications channel (out-of-band authentication), such as verifying face-to-face with the requestor or calling the requestor’s phone extension or cell phone.

Implementing dual control — using two or more employees — can provide additional checkpoints to ensure requests and payments appear and are transacted legitimately.

It’s important to educate your members — especially business members — about the possibility of this scam and how to protect themselves.

Remember, the member would be liable for the loss of funds since they requested the wire, so it’s critical they know how to spot the warning signs for this type of fraud.

A common approach associated with real estate wire scams has a credit union lender or member/purchaser receiving an email appearing to come from the title company/closing agent with bogus wiring instructions, shortly before the loan closing. You should establish procedures to call the title company/closing agent using a reliable phone number on record to verify the legitimacy of wire transfer instructions received by email or fax. Additionally, some establish a passcode in advance to be used in conjunction with the callback and verification process.

Educating members upfront can be extremely helpful. Provide reminders such as:

• Warning them to be wary of any last-minute wire transfer changes.
• Suggesting they gather all telephone numbers for agents, title company, etc., at the signing of the purchase contract and compare any changes shortly before closing.
• Calling to confirm any wiring instructions.
• Avoid sending financial information through email.

Asking members if they have received the wire instructions via email and if so, did they verify instructions with the closing agent using a verified telephone number can be helpful.

The vendor impersonation scam is designed to steal payments credit unions make to their vendors. In this scam, the fraudster sends a spoofed email to an employee in the accounting department, such as the accounts payable clerk, appearing to come from a vendor used by the credit union. The fraudulent email provides updated banking information for remitting payments to the vendor by ACH or wire. As legitimate invoices are received from the vendor, the accounting department employee remits payments using the updated banking information. The credit union learns of the fraud when they receive a call from the vendor inquiring about the delinquent payments.

It’s not unusual for credit union employees to develop close relationships with vendor personnel. Fraudsters could exploit these close relationships by creating a deepfake voice of a vendor’s employee to perpetrate this scam in a live voice call or by creating a deepfake video of the vendor’s employee in a video conference call.

Employees in the accounting department should receive training on the vendor impersonation scam and verify updated banking information for remittances no matter how they are received from the vendor — by email, voice message, live voice call, or video conference call — by calling the vendor using a reliable phone number.