FBI Warning: Invoice Scams

The FBI is warning businesses to be aware of 3 versions of an invoice scam that they now term "Business E-mail Compromise" (BEC). The end result is a fraudulent wire-transfer payment to a foreign bank most commonly located in China and Hong Kong. These schemes are generally preceded by cyber-attacks by criminals to gather information on their victims.

The FBI is warning businesses to be aware of 3 versions of an invoice scam that they now term "Business E-mail Compromise" (BEC). The end result is a fraudulent wire-transfer payment to a foreign bank most commonly located in China and Hong Kong. These schemes are generally preceded by cyber-attacks by criminals to gather information on their victims.

The BEC attack generally targets chief technology officers, chief financial officers, or controllers who receive what appears to be a legitimate invoice, via their business email account, from a business partner. The fraudulent invoice requests that payment be made via wire transfer to a designated bank account. The perpetrators of the fraud closely monitor their victims to identify which individuals within an organization to target and what protocols are used. The BEC attacks are general preceded by some other phishing scam or other cyber-attack to assist in the information gathering process. The three identified versions of the BEC scheme are:

"Invoice Modification Scheme", "The Bogus Invoice Scheme", or "The Supplier Swindle": this scheme relies on very closely mimicking existing invoice payment requests via phone, fax, or email. The fraudulent requests easily pass casual inspection.

"Financial Industry Wire Frauds", "Business Executive Scam", "CEO Fraud": execution of this scheme requires that the attacker either hack or spoof the business email account of a member of a company's executive team (CEO,CFO,...). The exploited email account is then used to make the fraudulent wire transfer request to an internal employee responsible for processing such requests or directly to the company's financial institution.

Personal email exploit: in this instance the fraud is perpetrating by hacking the personal email account of an employee. By using the employee's contact list to identify vendors, the scammer is able to send fraudulent but authentic looking payment requests.

There are a number of cyber-security measures that businesses should take to guard against these types of attacks. Some protections involve the use security software while others are more policy driven. It is important to note that the attacks could also result from the security exploit of a business partner (such was the case with Target).