RANE Expert Matthew Levine on FinCEN’s Updated Advisory on Email Compromise Fraud
Last week, the Financial Crimes Enforcement Network (FinCEN) issued an updated advisory on Email Compromise Fraud Schemes. The advisory provides current operational definitions and general trends in Business Email Compromise (BEC) schemes, information concerning the targeting of non-business entities and data by these types of schemes, and risks associated with the targeting of vulnerable business processes. FinCEN also issued an in-depth Financial Trend Analysis of Bank Secrecy Act (BSA) data that explores industries targeted and methodologies used by BEC scammers. We spoke with RANE Network expert Matthew Levine, who leads the Financial & Regulatory Compliance Services Practice at Guidepost Solutions, about this growing trend.
Since the 2016 BEC Advisory was issued, Suspicious Activity Reports (SARs) to FinCEN detailing BEC schemes have risen considerably. In 2016, FinCEN averaged approximately 500 of these reports per month; by 2018, that amount had more than doubled to over 1,100 reports per month. The average total loss amounts from BEC schemes saw similar increases, with the average monthly losses rising from $110 million to over $300 million between 2016 and 2018. In total, FinCEN has received over 32,000 reports involving almost $9 billion in attempted theft from BEC fraud schemes affecting US financial institutions and their customers. As such, FinCEN has issued updated and expanded guidance on email compromise fraud.
Upon reviewing the newest iteration of the Advisory, Mr. Levine did not see any significant new details from the 2016 version that would necessitate marked changes in what companies should already be doing as a matter of standard care. The fundamentals are consistent, but the advisory does – as seems to be the trend of 2019 from regulators – provide a much clearer and fuller understanding of the problem; the information supplied fleshes out what vulnerabilities are being exploited, where they’re being identified, and what updated forms of schemes are being seen more often.
Although it does provide more context and detail, Mr. Levine cautions that this is only a partial picture of the full scope of attacks, as the Advisory is built on information derived from SARs. He remarks that it’s hard to know what happens when an event occurs at an institution that isn’t required to file a SAR, or how an event is handled if it is stopped before reaching a financial institution and never makes it into a report.
One difference that Mr. Levine notes as interesting is that FinCEN is seeing different types of schemes beyond pure wire transfers. In this updated Advisory, FinCEN has observed BEC schemes fraudulently inducing funds or value transfers through other methods of payment such as convertible virtual currency payments, automated clearing house transfers, and purchases of gift cards. Mr. Levine posits that crypto asset’s shift into the mainstream between 2016 and now is one of the reasons more SARs are referencing efforts involving virtual currency as a means of moving money for BECs. He recommends staying alert to evolving forms and methods of value transfer.
The Advisory notes that the three top target industries for BEC schemes are: (1) manufacturing and construction (25% of reported cases); (2) commercial services (18%); and (3) real estate (16%). These industries are likely targeted with greater regularity because they tend to make frequent wire payments to numerous suppliers and also because more client information is publicly available for these businesses. Industries with public-facing information about their business transactions and processes can present attractive targets for BEC schemes. Communications that integrate publicly available information with private information obtained via email compromise can be extremely effective in fraudulently inducing an individual to send wires to accounts controlled by a BEC criminal. By understanding the nature of these social engineering schemes and assessing and mitigating their business process vulnerabilities to compromise, financial institutions and their customers can reduce their susceptibility to BEC fraud.
The best and most effective way to reduce susceptibility to BEC fraud, Mr. Levine advocates, is in the internal training of employees. Regardless of what type of training program is used, Mr. Levine asserts that it is essential it gets done, that it is refreshed periodically, and that there is someone in the company who owns responsibility for ensuring that the training is working. He encourages auditing training by doing internal tests of employees to make sure they are not falling prey to phishing or spoofing emails, and he suggests that when an employee does click on something he or she is not supposed to, that there is a process in place to understand to whom, how, and why it happened.
- RANE Staff