LogoRegulatory Alerts
2017-09-14

Circular CN-FIU/2017/15: Information Paper on BEC Scams

The Maldives Monetary Authority issued Circular CN-FIU/2017/15 to direct all regulated banks to implement preventive measures against Business Email Compromise (BEC) scams. The circular mandates that banks enhance internal controls, including risk assessments, staff training, and customer awareness, to mitigate financial fraud risks. Additionally, banks are required to file suspicious transaction reports with the Financial Intelligence Unit immediately upon suspecting BEC-related activities.

Maldives Monetary Authority logo

Maldives

Maldives Monetary Authority

Click to view thumbnail

MALDIVES MONETARY AUTHORITY MALDIVES

Circular No: CN-FIU/2017/15

September 14, 2017

TO: ALL BANKS

INFORMATION PAPER ON BEC SCAMS

This Circular is issued to all banks regulated by Maldives Monetary Authority that provide banking services to its customers.

Financial and various forms of fraudulent activities are known to evolve from time to time. Often banks and other financial institutions, customers and the economy falls victims to such fraudulent activities and scams. Such fraudulent practices and activities are criminal offences subject to prosecution and penalties.

Based on the information the Financial Intelligence Unit received, it has come to this Unit's attention that banks and its customers continue to fall into victim of a scam commonly known as BEC scams (business e-mail compromise scams).

As these scams involve fund transfers conducted through the banking system, banks should take all necessary measures to prevent and minimize risks to the banks, the customers and the economy from BEC scams and other similar fraudulent activities.

The attached information paper is issued to the banks to raise awareness of these scams and banks are advised to consider whether the prevention measures are adequately addressed in:

  • implementation of policies and procedures
  • risk assessments
  • application of enhanced due diligence measures
  • staff training
  • customer awareness

All queries relating to this Circular shall be directed to this Unit to our email address fiu@mma.gov.mv.

Yours sincerely,

Abdulla Ashraf Head of FIU Financial Intelligence Unit

ENCL: Information Paper on Business E-Mail Compromise Scams

INFORMATION PAPER ON BUSINESS E-MAIL COMPROMISE SCAMS

Information paper to assist banks to identify and implement relevant internal controls to prevent and protect the banks and their customers from falling into victim of BEC scams.

14 September 2017

INFORMATION PAPER ON BUSINESS E-MAIL COMPROMISE SCAMS

CONTENTS

Introduction ................................................................................................................................. 1 Brief overview of Business E-mail Compromise Scams .............................................................. 1 What is it? ................................................................................................................................. 1 How is it done? .......................................................................................................................... 2 Examples ...................................................................................................................................... 2 Characteristics of BEC Scams ..................................................................................................... 3 Recommendations for Prevention and Best Practices ................................................................... 3 Reporting ...................................................................................................................................... 4 Customer Awareness and Training............................................................................................... 5 References .................................................................................................................................... 5

How is it done?

The victims of the BEC scam range from small businesses to large corporations. The victims continue to deal in a wide variety of goods and services, indicating a specific sector does not seem to be targeted.

It is largely unknown how victims are selected; however, the subjects monitor and study their selected victims using social engineering techniques prior to initiating the BEC scam. The subjects are able to accurately identify the individuals and protocols necessary to perform wire transfers within a specific business environment. Victims may also first receive "phishing" e-mails requesting additional details regarding the business or individual being targeted (name, travel dates, etc.).

Some individuals reported being a victim of various Scareware or Ransomware cyber intrusions immediately preceding a BEC incident. These intrusions can initially be facilitated through a phishing scam in which a victim receives an e-mail from a seemingly legitimate source that contains a malicious link. The victim clicks on the link, and it downloads malware, allowing the actor(s) unfettered access to the victim's data, including passwords or financial account information.

As the examples of BEC scams below, some scams involve a combination of spoofing, document fraud, phishing and other forms of financial crimes.

Examples

Business working with a Foreign Supplier: A business, which often has a long standing relationship with a supplier, is requested to wire funds for invoice payment to an alternate, fraudulent account. The request may be made via telephone, facsimile, or e-mail.

Business Executive Receiving or Initiating a Request for a Wire Transfer: The e-mail accounts of high-level business executives (CFO, CTO etc.) are compromised. The account may be spoofed or hacked. A request for a wire transfer from the compromised account is made to a second employee within the company who is normally responsible for processing these requests. In some instances, a request for a wire transfer from the compromised account is sent directly to the financial institution with instructions to urgently send funds to bank “X” for reason “Y.”

Business Contacts Receiving Fraudulent Correspondence through Compromised E-mail: An employee of a business has his/her personal e-mail hacked. This personal e-mail may be used for both personal and business communications. Requests for invoice payments to fraudster-controlled bank accounts are sent from this employee's personal e-mail to multiple vendors identified from this employee's contact list. The business may not become aware of the fraudulent requests until that business is contacted by a vendor to follow up on the status of an invoice payment.

Business Executive and Attorney Impersonation: Victims report being contacted by fraudsters, who typically identify themselves as lawyers or representatives of law firms and claim to be handling confidential or time-sensitive matters. This contact may be made via either phone or e-mail. Victims may be pressured by the fraudster to act quickly or secretly in handling the transfer of funds. This type of BEC scam may occur at the end of the business day or work week and be timed to coincide with the close of business of international financial institutions.

Financing Scheme based on Fraudulent Financial Instruments: A bank receives an e-mail from a foreign financial institution (seemingly a fictitious institution) notifying the bank that a customer of that bank has requested funding against the monitory instrument allegedly the bank has issued to its customer. The supporting documents appear to be issued by bank officials and a representative on behalf of the customer also appears to have signed on some supporting documents. When the bank

  • Out of Band Communication: Establish other communication channels, such as telephone calls, to verify significant transactions and transfer instructions. Arrange this second-factor authentication early in the relationship and outside the e-mail environment to avoid interception by a hacker.
  • Digital Signatures: Both entities on each side of a transaction should utilize digital signatures. This will not work with web-based e-mail accounts. Additionally, some countries ban or limit the use of encryption.
  • Delete Spam: Immediately report and delete unsolicited e-mail (spam) from unknown parties. DO NOT open spam e-mail, click on links in the e-mail, or open attachments. These often contain malware that will give subjects access to your computer system.
  • Forward vs. Reply: Do not use the "Reply" option to respond to any business e-mails. Instead, use the "Forward" option and either type in the correct e-mail address or select it from the e-mail address book to ensure the intended recipient's correct e-mail address is used.
  • Consider implementing Two Factor Authentication (TFA) for corporate e-mail accounts. TFA mitigates the threat of a subject gaining access to an employee's e-mail account through a compromised password by requiring two pieces of information to login: something you know (a password) and something you have (such as a dynamic PIN or code).
  • Raised awareness of the BEC scam has helped businesses detect the scam before sending payments to the fraudsters. Some financial institutions reported holding their customer requests for international wire transfers for an additional period of time, to verify the legitimacy of the request.
  • Using the following measures for added protection:
    • Create intrusion detection system rules that flag e-mails with extensions that are similar to company e-mail. For example, legitimate e-mail of abc_company.com would flag fraudulent e-mail of abc-company.com.
    • Register all company domains that are slightly different than the actual company domain.
    • Verify changes in vendor payment location by adding additional two-factor authentication such as having a secondary sign-off by company personnel.
    • Confirm requests for transfers of funds. When using phone verification as part of the two-factor authentication, use previously known numbers, not the numbers provided in the e-mail request.
    • Know the habits of your customers, including the details of, reasons behind, and amount of payments.
    • Carefully scrutinize all e-mail requests for transfer of funds to determine if the requests are out of the ordinary.

Reporting

It is commonly understood that international remittances often pass through several correspondent banks before the funds are being credited to the recipient and in these cases the transactions crosses several jurisdictional borders. Hence, banks are encouraged to instruct their correspondent banks to stop transaction as soon as possible upon suspicion.

In addition, banks must file a suspicious transaction report to the Financial Intelligence Unit as soon as the bank forms the suspicion that an activity or a transaction is involved in a BEC scam. The same reporting requirement also applies to both attempted and executed transactions and activities.

Share