Email Account Compromise Scams Target Customer Transactions

Imagine this scenario: You work at a title company and an individual who is buying a home calls frantically about the funds he transferred for the purchase. You have no record of receiving those funds.

The customer reports receiving an email that appeared to be legitimate and from your company. However, it becomes clear that the email account was compromised — a fraudster infiltrated your company’s email system and set up a bogus or “spoofed” account. The fraudster then directed the customer to send funds to an outside account in the fraudster’s control. The customer was directed to confirm the funds transfer via email once it was completed. This allowed the fraudster to quickly scoop up the funds and get away. Although your title company has not suffered a loss, the customer has lost thousands of dollars.

Your customer has just been victimized by an email account compromise (EAC) scam.

EAC scams are similar in many ways to business email compromise (BEC) crimes in which a fraudster poses as a senior executive and directs an employee to send an Automated Clearing House (ACH) payment or wire transfer. However, an EAC targets customer funds instead of company accounts. Using social engineering or computer infiltration techniques, fraudsters access email accounts and monitor email activity, searching for a likely victim. The fraudster then creates a spoofed email account that mimics the legitimate account and is hard to detect. This spoofed account is used to direct an unauthorized funds transfer from the victim.

The FBI has seen a dramatic increase in EAC scams among financial and brokerage services, real estate and title companies, and law firms, all businesses that frequently transfer funds for their customers. Requests for funds transfers can appear to be legitimate, and fraudsters know that not everyone takes the time to verify the sender’s email address or call to confirm the funds transfer request.

Although customers are the targeted victims, companies can suffer as well, especially from bad publicity and the loss of trust and customer good will. These steps can help protect a company and its employees from EAC exploitation:

Require that all funds transfer requests be verified with customers by phone or in person, and let customers know this is company policy.

Keep the company’s internet and computer system security software up to date.

Use a secure network for customer communications regarding financial matters.

Do not share account numbers or other account information through email.

Control internet access for employees by setting up whitelist/blacklist security measures to restrict which websites employees can visit. This can help diminish the risk of downloading corrupted software and programs that could infect a computer with a virus.

Question unusual language, requirements or urgency from customers regarding funds transfer requests.

The FBI recommends that companies advise customers of the growing threat of EAC scams¹. Customers should be encouraged to take the following actions to avoid falling victim:

Do not open email messages or attachments from unknown individuals and be cautious of clicking links within emails from unknown persons.

Because email requests for funds transfers can appear legitimate, be aware of small changes or discrepancies in email addresses that mimic legitimate ones.

Be cautious of urgent requests for funds transfers.

Question any changes to funds transfer instructions by contacting the email sender by phone or in person, and not by email.

Agree to have a dual authorization process in place for funds transfers, such as requiring verbal confirmation using a telephone number known by both parties.

Notify the FBI and law enforcement if you have become the victim of an EAC scam.

¹ “Email Account Compromise,” public service announcement from the Federal Bureau of Investigation, Internet Crime Complaint Center, Aug. 27, 2015. Available at: https://ic3.gov/media/2015/150827-2.aspx