After analyzing data collected in Suspicious Activity Reports (SARs), the Financial Crimes Enforcement Network (FinCEN) issued an update to a 2016 Advisory alerting financial institutions on how best to combat criminal schemes that compromise business email accounts. The problem of criminals targeting business fund transfers is not small. So-called “Business Email Compromise” (BEC) scammers possibly stole billions of dollars from companies and individuals in 2018, more than in prior years, according to a new FinCEN Financial Trend Analysis of the SARs data. In this article, Bates considers the informed guidance in FinCEN’s new 2019 Advisory to financial institutions, as well as some of the salient conclusions drawn from the trend analysis report.
As reflected in the SARs filings, the problem of BEC fraud has grown. In 2016, BEC accounted for under 500 reports per month, with the attempted thefts averaging about $110 million over that period. By 2018, nearly 1,100 reports per month were generated with attempted thefts averaging over $300 million for the same period. According to the 2019 Advisory, since the last advisory was issued, “FinCEN has received over 32,000 reports involving almost $9 billion in attempted theft from BEC fraud schemes affecting U.S. financial institutions and their customers. This represents a significant economic impact on the businesses, individuals, and even governments that are targeted by these schemes.”
FinCEN concluded that the sectors most targeted by BEC fraudsters are (i) manufacturing and construction, (ii) commercial services and (iii) real estate. That led FinCEN to caution industries with “public-facing information about their business transactions and processes”—i.e. education, real estate and agriculture—that they are particularly vulnerable to BEC crime.
In the updated advisory, FinCEN reaffirmed the “typologies” of BEC schemes contained in its original advisory. These include, among others, hacking into accounts, spear phishing, specialized malware, “spoofing domains to send familiar-looking messages seemingly from a trusted party,” vendor impersonation and the like.
In the update, FinCEN discussed broadening the definitions of BEC to cover (i) more affected entities and (ii) any type of email fraud that may be used to misdirect payments or other things of value, including personal or business data and forms. As to the latter, FinCEN warned financial institutions that “risk from BEC fraud extends to the authentication and authorization processes for receiving sensitive data about the organization or their customers.” FinCEN noted enforcement actions taken against, for example, criminals that stole Personally Identifiable Information (PII) and Wage and Tax Statement (W-2) forms.
As to broadening the definition of “payments,” FinCEN now includes virtual currency payments, automated clearing house transfers, and purchases of gift cards, to name a few. (Note: This is consistent with FinCEN’s recent advisory on cryptocurrencies. See Bates’ coverage here.)
Regarding broadening the category of entities affected by BEC, FinCEN warned of an increasing trend by criminals to not only target high-net-worth individuals through their financial institutions, but also to attack non-business entities, including non-profits and government agencies that use email to transact payments between partners, customers, and suppliers.
For government agencies, FinCEN reports that the SARs reflect the targeting of pension funds and payroll accounts, as well as other contracted services. For non-profit institutions, FinCEN references attacks against educational institutions (“appealing targets for BEC criminals”) because these institutions engage in high-dollar tuition, endowments, grants and construction transactions. FinCEN also warned financial institutions that they themselves could be victims of BEC schemes. In particular, FinCEN noted enforcement actions in 2018 in which criminals spoofed bank Internet domains and sent messages to bank employees with payment instructions containing fraudulent SWIFT reference numbers.
The Financial Trend analysis compared changes in the data since 2016. The primary findings included the identification of the three sectors hardest hit by BEC scams mentioned above and the diversification of their targets (non-profit, government and financial institutions) in 2018.
FinCEN also found that of the many types of BEC fraud schemes, fraudulent vendor invoice scams grew to 39 percent in 2018 (from 30 percent in 2017) and accounted for 41 percent of total transaction amounts. FinCEN asserted that fraudulent vendor invoicing was the most common form of BEC crime last year. Only a year earlier, the most frequent BEC method used by criminals (based on the SARs reports) involved emails impersonating a company executive (a scam which declined over 20 percent year-over-year.)
The 2018 figures are instructive, as this Trend Report graph illustrates:
FinCEN concluded that the emergence of one type over the other was “likely due to awareness of such schemes in the business community.” Further, FinCEN surmised that scammers have turned to fraudulent vendor invoices and the targeting of certain industries because those methods are more lucrative. For example, FinCEN concluded that the average transaction amount related to a vendor or client invoice was $125,439, versus scams involving the impersonation of a CEO ($50,373). With these observations, FinCEN offers an early glimpse at the sophistication and versatility of BEC scammers. The report also shows the potential of SARs data—which will only get more robust as more data is collected—to inform enforcement and regulatory policy.
FinCEN offered a number of conclusions based on the SARs data. Generally, BEC criminals target certain sectors of the economy more than others (manufacturing, commercial services and real estate); they do so with particular types of scams aimed at particular vulnerabilities inherent in that sector; they prioritize those markets that offer the greatest return per scam, and they react to changing market business conditions.
FinCEN’s Financial Trend Report is both an exercise in mining data from SARs reports and a demonstration of how that information impacts the direction of law enforcement. For the BEC analysis, the data indicates that there have been substantial changes in how the scam has developed over the last few years. According to Bates Group’s Financial Crimes Managing Director Ed Longridge, “The advisory is an example of how those findings may translate into regulatory priorities. It is important for firms to adapt their compliance policies, payment and reconciliation procedures, training and internal controls to both report and work to prevent this type of financial fraud.”