Imagine this scenario: You work at a title company and an individual who is buying a home calls frantically about the funds he transferred for the purchase. You have no record of receiving those funds.
The customer reports receiving an email that appeared to be legitimate and from your company. However, it becomes clear that the email account was compromised — a fraudster infiltrated your company’s email system and set up a bogus or “spoofed” account. The fraudster then directed the customer to send funds to an outside account in the fraudster’s control. The customer was directed to confirm the funds transfer via email once it was completed. This allowed the fraudster to quickly scoop up the funds and get away. Although your title company has not suffered a loss, the customer has lost thousands of dollars.
Your customer has just been victimized by an email account compromise (EAC) scam.
EAC scams are similar in many ways to business email compromise (BEC) crimes in which a fraudster poses as a senior executive and directs an employee to send an Automated Clearing House (ACH) payment or wire transfer. However, an EAC targets customer funds instead of company accounts. Using social engineering or computer infiltration techniques, fraudsters access email accounts and monitor email activity, searching for a likely victim. The fraudster then creates a spoofed email account that mimics the legitimate account and is hard to detect. This spoofed account is used to direct an unauthorized funds transfer from the victim.
The FBI has seen a dramatic increase in EAC scams among financial and brokerage services, real estate and title companies, and law firms, all businesses that frequently transfer funds for their customers. Requests for funds transfers can appear to be legitimate, and fraudsters know that not everyone takes the time to verify the sender’s email address or call to confirm the funds transfer request.
Although customers are the targeted victims, companies can suffer as well, especially from bad publicity and the loss of trust and customer good will. These steps can help protect a company and its employees from EAC exploitation:
The FBI recommends that companies advise customers of the growing threat of EAC scams1. Customers should be encouraged to take the following actions to avoid falling victim:
1 “Email Account Compromise,” public service announcement from the Federal Bureau of Investigation, Internet Crime Complaint Center, Aug. 27, 2015. Available at: https://ic3.gov/media/2015/150827-2.aspx