Criminals stealing money ‘by asking for it’ - Sabric

The South African Banking Risk Information Centre (Sabric) has warned consumers about a scam known as “business email compromise” (BEC) where criminals literally “steal money by asking for it”. This scam targets specific employees in organisations who are authorised to transfer funds or make payments.

According to the global Mimecast, the state of email security report 2019 showed that “in the previous 12 months alone, 67percent of organisations said they saw the volume of impersonation attacks increase, and 73percent of impersonation attack victims experienced a direct resulting loss”.

In addition, a recently issued public service announcement from the US Federal Bureau of Investigation states that, “between May 2018 and July 2019, there was a 100percent increase in identified global exposed losses” due to BEC scams. These stats are alarming, as South Africa has also seen an increase in this type of scam, in line with the global trends.

“Digital technology, combined with social engineering which exploits our human tendency to be compliant when faced with a directive from an authority figure, enables criminals to perpetuate this type of crime,” says Sabric acting chief executive Susan Potgieter.

Criminals use information obtained from company websites and/or other digital platforms to identify the details of chief executives, financial directors and other key senior individuals. They impersonate these individuals by sending electronic requests via email or text message to junior staff in the accounting or finance function, requesting that an urgent payment be made to a specific beneficiary.

Another way criminals glean information to perpetuate this crime is through phishing attacks, where users are sent emails containing malicious links and are manipulated into clicking on them to install malware.

This malware is designed to access the network and monitor mailboxes so criminals learn about payment patterns, who the role players are, and understand communication styles, including typically used words or phrases.

This is to ensure that when a criminal impersonates the person issuing the directive to make a payment, it comes off as authentic and does not arouse suspicion.

Criminals will also use email spoofing software to spoof, and email domains to trick the recipient into thinking that an email containing a payment instruction is from the usual authoriser.

By the time the employee realises that funds have been paid into the incorrect account it is too late, as criminals use accounts belonging to “money mules”, who open accounts for this purpose and further launder the money by quickly moving it into other accounts.

“We urge staff to be vigilant about checking a sender’s email address very carefully should they receive an email instructing them to make a payment. Often, the address will only differ by one or two characters,” says Potgieter.

Organisations must also ensure that they deploy multi-tiered risk-mitigation strategies to prevent BECs. These should include digital resilience mechanisms. Sabric