Does your business rely on email communications to request or authorize transfers of funds? If so, then simple awareness of a sophisticated cyber enabled fraud scam called Business Email Compromise (BEC) may help prevent your business from becoming victimized. It’s happening daily, involving seemingly harmless, routine email requests.

What is Business Email Compromise?

The scam is carried out when someone compromises, or spoofs1, legitimate business email accounts through social engineering or computer intrusion techniques. This person then uses those compromised or fraudulent email accounts to trick victims into conducting a transfer of funds. These fund transfers are most routinely requested to be completed via wire transfer or ACH, but may also involve checks and/or the purchase of gift cards.

EXAMPLE

From: John Smith [mailto:jsmith@abcompany.com]
Sent: Monday, January 09, 2017 2:08pm
To: cjohnson@abccompany.com
Cc: urycjohnson@abccompany.com
Subject:  Urgent wire transfer needed
Cheryl ,
Are you available to take care of a financial activity?
Email me back Now, let me know.
Thanks
John Smith
Sent from my iPhone

In the example above, the employee “Cheryl Johnson," who normally is responsible for processing invoice payments for ABC Company, receives this urgent request to conduct a wire transfer from the apparent CEO of ABC Company “John Smith." Potential Red Flags in this email include it being marked “urgent” and that the sender specifically instructs Cheryl how she should reply (i.e. “email me back Now”).

In addition, the email domain name (abcompany.com) of the sender is not identical to the legitimate email domain (abccompany.com). This email also includes a notation of being “Sent from my iPhone” – a closing that is frequently used by fraudsters to (1) make it appear as if the sender may not be readily available for contact in the office and (2) convince the recipient to overlook minor spelling/grammatical errors.    

Other typical scenarios utilized in this fraud scheme include:

  • A business that has a longstanding relationship with a supplier is asked to send funds for invoice payment to an alternate, fraudulent account.
  • A supplier/vendor receives an email – that they believe is from you – asking for payment to an alternate, fraudulent account.
  • A victim is contacted by a fraudster who impersonates a lawyer. The fraudster claims to be handling a confidential and time-sensitive matter, and requests a transfer of funds.
  • A fraudulent request is sent via a business executive’s compromised email account to people/entities in the business organization responsible for W-2s or maintaining personal information (e.g. HR). The fraudster requests employee W-2 information, which is subsequently used to commit income tax refund fraud.
  • A victim receives a request from their management to purchase gift cards for a work-related function or as a present for a special occasion, using their corporate or personal credit card, for example. The gift cards are then forwarded to the fraudster per instructions, sometimes this is done by simply sending a reply email to the "manager" with the gift card numbers as well as the scratched off authorization codes from the back of the cards.

How to protect yourself from becoming a victim?

  1. Always be suspicious of pressure to act quickly.
  2. Establish and utilize other communication channels within your company and with your business partners – such as telephone calls – to verify significant transactions or to confirm changes to established payment beneficiary information (e.g. name, address, account number).
  3. Do not use the “Reply” option to respond to any business emails. Instead, use the “Forward” option. Then, type in the correct email address, or select it from the email address book to ensure the intended recipient’s correct email address is used. This will ensure if the original email address was spoofed, that the reply message will go to the legitimate person. The legitimate person can then alert you that the original email was not sent from them.
  4. Create intrusion detection system rules that flag emails with extensions that are similar to the company email domain. For example, a detection system for legitimate email of abc-company.com would flag fraudulent email from abc_company.com.
  5. If possible, register all domain names like your own actual company domain.  For example, “abc-company.com” would also be registered to the legitimate company “abccompany.com.”
  6. Beware of sudden changes in business practices. For example, if a current business contact suddenly asks to be contacted via their personal email address when all previous official correspondence has been via company email, the request could be fraudulent.
  7. Be careful about what is posted to social media and company websites. For example, determine if it’s necessary to disclose job duties/ descriptions, hierarchal information, out-of-office details, direct phone numbers and email addresses. This will make it more difficult for your employees to be targeted through social engineering techniques or phishing campaigns.

What to do if you become a victim

Notify us immediately if you discover any unauthorized or unusual activity involving your Comerica accounts.

Treasury Management customers: Contact Treasury Management Relationship Services at 800.852.3649.

All others: Contact your Comerica relationship manager or the nearest Comerica banking center.

If you are suspicious of an email you receive, you may forward it to us for review at the following mailbox ReportFraud[at]Comerica.com.

Helpful Resources

  • Anyone can learn more about cybersecurity by accessing Comerica’s five online learning modules. If you haven’t viewed them yet, you’re missing out! Suggest all your employees review them; click here to open Cyber Security 101 available on comerica.com.
  • Review Comerica informational handout “Cyber Awareness Best Practices for Businesses” by clicking here. Schedule a meeting with key financial personnel at your business to ensure they are complying with the best practices.
  • Review tips as detailed in the FBI’s latest Public Service Announcement on Business Email Compromise by clicking here. View the latest Public Service Announcement on Business Email Compromises involving gift cards by clicking here.
  • To learn more about strategies and solutions that can help you protect your organization and yourself against fraud, contact your Treasury Management representative or Treasury Management Services at 888.341.6490.