Businesses are increasingly falling prey to a clever email-based fraud that does not use sophisticated hacking techniques. Take a few simple steps to increase your company’s security, and if money is stolen you may be able to recover it if you act quickly.

How The Fraud Works

People envision computer crime as either highly technical hacking or unsophisticated email come-ons like the infamous Nigerian money scam emails. But an increasingly common kind offraud lies in between, and relies on clever deceptions, “social engineering” and careful use of publicly available information that companies readily publish on their websites. This kind of fraud depends on use of a real email address that is deceptively similar to one that would be used by the target company or its legitimate suppliers to trigger a kind of “fictitious payee” scam. The target company is tricked into sending funds by wire transferto a bank account under the fraudsters’ control. This bank account is often in Hong Kong,and the timeframe for intercepting and recovering funds that have been stolen in this way is very short.

Three Basic Elements To The Scam 

  1. Fraudsters secure an internet domain name that is visually very similar to the domain name of the target company or of the target’s real suppliers. For instance, if the target company is named USA101, Inc. and its domain is, the fraudsters will secure registration of
  2. Scammers will research publicly available information about the target company looking for the names of senior financial officers and employees, especially chief financial officers and comptrollers.
  3. Fraudsters will use what hackers call “social engineering” to secure the name andlegitimate email address of a target company employee who is responsible for making large wire transfers. This last is usually done with one or two simple telephone calls: “Hi, I’m Fred Jones from ABC Bank. I need to send an email to whoever just sent us awire transfer for $625,000. Can you give me that person’s name and email address?” It is fairly common that fraudsters can secure a name and email address over the phone in this way with very few attempts.

With that last piece of information, the fraudsters have two vital parts of the scam: the name and email address of a person who is authorized to initiate wire-transfers, and the format of legitimate company email addresses. If the name of the person with wire transferauthority is Sandy Smith and her email address in our example is, and they learn from the company’s website that the CFO’s name is Roger Black, they will know that the CFO’s legitimate email address will very likely be Putting all these pieces together can take experienced fraudsters just a few hours of work.

The next step in the scam is sending an email that purports to be from the company’s CFO to the person authorized to send wire transfer instructions, but using the deceptive domain name. In this example, the “From” line of the email will appear as “From: Roger Black <>.” Notice the extra zero in this email address? Unless you were forewarned, you’d be very likely not to notice it. Instead, when Sandy Smith receives an email from telling her to immediately send a wire transfer to a particular bank account (accompanied by a plausible explanation for why the funds should be transferred, often with legitimate-looking invoices attached), she may well do it.

A variation on this pattern is the use of a domain name deceptively similar to one of the target company’s regular suppliers. In this kind of case, the fraudsters need to know the identity of who is selling to the target company, something that may require some inside information. Instead of impersonating a company officer with authority to order wiretransfers, the fraudsters impersonate the company’s supplier. Although the information required to put this scheme in play is harder to come by, once it is obtained, the fraudsters have a better chance of success, since the funds only need to be redirected to a bank account under the fraudsters control, but all other information fits the target company’s usual course of paying invoices submitted by a known supplier. Information about a supplier can be gained by searching websites of companies likely to be selling to the target company, which may list the supplier’s large customers, or through social engineering, e.g. by getting to know someone in the supplier’s sales force and waiting for the identity of the supplier’s large customers to be disclosed.

Where The Money Goes, And How To Get It Back (If You Act Fast)

The People’s Republic of China (PRC) is often in the news as the origin of sophisticated hacking attacks on Western private and government computer systems. But it is also one of the main launching pads for the simpler kind of fraud. Fraudsters in the PRC often use bankaccounts in Hong Kong as the first destination for the money they trick target companies into wiring.

Three Reasons Why Hong Kong Is The Favored Destination For These Wire Transfers 

  1.  It is geographically close to the place from which the fraudsters work and it’s relatively easy for them to travel to Hong Kong in person to set up the first-destination bank accounts.
  2. It has a very active business and commercial environment in which banks are accustomed to seeing high levels of activity between PRC suppliers and Western buyers. New companies opening new accounts into which large amounts of money are wire transferred by Western companies is a common occurrence for Hong Kong banks. Fraudsters can take advantage of the pattern of normal, legitimate business to mask their activities; in essence, they can hide in plain sight by blending in with the crowd.
  3. It has a vibrant entrepreneurial culture, so the legal mechanisms for creating new business entities are relatively easy for fraudsters to use to quickly set up a shell company cheaply for the purpose of creating a bank account.

Catching The Crooks

The people conducting these frauds know that they will be discovered quickly so their goal is to move the money they’ve stolen out of the original bank account as quickly as possible. However, in order not to trigger the banks’ automated fraud detection systems, they have learned that moving the money instantly is not a good idea. They also know to not move the money out of Hong Kong (their ultimate goal) in a single step. Instead, they may leave some or all of the funds in the original bank account for a day or more, and then move it in increments to other accounts in Hong Kong they control. Those secondary accounts will have an established pattern of moving money offshore to destinations (often to places such as Vanuatu, Vietnam) where banking controls are scant.

This last point, coupled with Hong Kong’s excellent legal system (still modelled after the English system under Hong Kong’s “one country, two systems” political status) provides some hope to companies that have fallen prey to the fraud, but only if they detect the fraud andact quickly.

In responding to such a fraud and being armed with the details (copies of the emails implementing the fraud and details about the fraudster’s account receiving the funds), the first step is to immediately contact the destination bank by telephone. Although banks usually won’t confirm in a telephone conversation that the transfer has been made or that funds are in the account, they will usually freeze activity in the account for the few hours it takes us to initiate legal action. Simultaneously with making the first phone call to the destination bank’s internal security department, a judicial process is started, in which the Hong Kong court will be asked to issue an order freezing the bank account and any other known assets of the person who has received the victim’s funds up to the value of the total losses suffered by the victim.

Once the court has issued the freezing order, it will be served on the bank, enabling it to continue to freeze the bank account. A civil action will be initiated in which the victim will claim the funds it has been cheated out of, plus interest and legal fees and other direct costs of the litigation. The recipient of the funds will often not answer the civil action, enabling the victim to enter judgment on its full claim by default. Armed with a default judgment, the judgment can be enforced by attaching the funds frozen in the recipient’s bank account, ultimately returning them to the victim. When making a freezing order the court will require the bank concerned to disclose full details of the recipient’sbank account, including full details of any transfers out of the account so that the victim can trace its funds and see where they have gone. The underlying civil claim can then be widened to include the persons who received the victim’s funds if they were sent on.

Protecting Your Business Against The “Email Imposter” Fraud

The most effective way to protect your business is to require a two-method verification: any email initiating a wire transfer to a new bank account should be confirmed with a phone call to the person purporting to order the payment. In the first example, this is a simple matter of a domestic telephone call from your accounting department to the CFO or comptroller who may be impersonated. In the second example, an overseas call to a known person actually employed by your company’s Chinese supplier at a previously agreed telephone number is required. The small additional expense is warranted as a safeguard against fraud schemes which usually aim to steal hundreds of thousands of dollars.

Beyond this, alerting all personnel involved in the process of authorizing and initiatingwire transfer payments to the nature of the fraud described is a strong protection against becoming a victim. Two things all people involved in your company’s wire transferprocedures should be made aware of are 1) the risks arising from any communication from any source that directs payment to a bank account that has not been previously used to receive legitimate transfers, and 2) the possibility that email addresses may be used by fraudsters that are deceptively similar to your company’s or your suppliers’ email addresses.

Armed with these protections, your business is less likely to fall victim to the new version of a very old scam. If you do detect that money has been stolen in this way, act immediately.

Hackers Target Corporate Email For Wire Transfer Fraud

The world’s enterprising cybercriminal population has found its newest weak link to exploit: corporate email systems. The new scam hotness entails getting small businesses to wire large sums of cash into false bank accounts.

Corporate account takeovers or business email fraud schemes are evolving into a big business. Between October 2013 and June 2015, companies lost over $1 billion via these methods, according to the FBI.

Though complaints have come in from around the world, the fraud efforts seem to be most tightly focused on the U.S. According to Patrick Fallon, a section chief in criminal investigation for the FBI, “organized crime groups from overseas and domestic-based actors” are typical perpetrators.

Fraudsters recently went after 25 Dallas companies, “with an attempted loss of over $100 million.” The emails appeared to be from high-level executives in the company being targeted, the FBI said in the advisory. A closer look would have revealed those emails came from a similar, but slightly different (and wrong) domain name. Another variation on this fraud sees criminals hijacking a corporate email system, grabbing a real message, altering it and allowing for a real payment to be diverted into their bank accounts.

Nacha, the industry-run group overseeing ACH transactions, “strongly advocates” that businesses “work together with their financial institutions to understand and use sound business practices to prevent and mitigate the risk of corporate account takeover.”

The limited good news here is banks can, in some instances, recover the funds by notifying the receiving bank that the incoming wire is an act of fraud. However, such “claw backs,” as WSJ calls them, must happen rather quickly, or they won’t happen at all.

“Once you reach beyond the 72-hour mark, it’s extremely difficult,” said Fallon.

Fraud alert: Scammers using hacked email accounts to hijack wire transfers

Bigstock image

Bigstock image

Illinois REALTORS® and their clients are being victimized by sophisticated wire fraud schemes rooted in hacked email accounts.

Example: Hackers who have already gained access to email accounts of sellers, buyers, real estate brokers or attorneys watch messages for words or phrases that indicate imminent real estate transactions. When closings are near, they intercept real messages and send counterfeit messages to the intended targets with instructions to wire funds to fraudulent accounts. If the victims send money to the accounts before they are discovered as fraudulent, the money may not be retrievable.

There are ways to try and make sure you and your clients aren’t victimized by schemes like this. IAR Legal Hotline Attorney Betsy Urbance and IAR Director of Information Technology Matt Brewer offer the following tips.

  1. If your office has its own information security policy, make sure you understand it and follow it. A security policy can contain rules concerning: acceptable use, email, password construction, security response and a clean desk policy discouraging employees from leaving confidential or proprietary information where anyone can see it.
  2. If your brokerage doesn’t supply you with encrypted email of its own, consider a free email system with built-in protections, such as Gmail, Hotmail or Yahoo.
  3. Don’t do business through public WiFi, but if you feel you must access email through WiFi, give it added protection by logging in to a Virtual Private Network (VPN) before logging in to your email account. A VPN creates a secure, encrypted connection between you (at a hotel) and the VPN provider (your business). It prevents someone from hacking into your messages from another room at the hotel.
  4. Use strong passwords (16 characters, at least one number, one uppercase letter, one lowercase number and one special symbol) on all your accounts and change them frequently. Use
  5. Promptly return phone messages to clients, especially if they are being asked to send a wire transfer to a third party, independently verifying your clients’ phone numbers.
  6. Verify email requests for money or payments by calling the person who sent the request or talking to him or her in person before completing the transaction. Do this even if you know the person so that you prevent a hacker from impersonating a trusted business associate. Be skeptical of any email request for payment or money and double-check these requests by another method.
  7. Use two-step verification to protect your email from being hacked. Brewer says if you have two-step verification enabled, a text message is sent to your mobile phone whenever anyone attempts to open your email account from a device that hasn’t been used in the last 30 days. A code in the text message must be used to gain access to the email account. If you receive the text alert and you’re trying to access the account, you follow the instructions and go about your business. If someone else is trying to use your account, they will be unable to do so without the text message, and you will know something illegal is happening.
  8. Don’t trust anyone.

Managing Brokers and local association leaders – particularly individuals with information technology, financial or chief executive officer responsibilities – should be particularly vigilant, says Brewer, because cyber criminals will target their email accounts for use in scams.

Urbance says educate yourself about the methods criminals use, and implement best practices to protect confidential client information as well as company information.

For example, criminals may try to hack into email accounts to learn passwords, steal identities and later trick clients or business associates into sharing key information or inadvertently diverting payments into fraudulent accounts.

Controlling the damage

The National Association of REALTORS® suggests members consider cyber insurance through a specialist in advance of any problems. Also, NAR has recommendations in case of the theft of a money (wire) transfer. They include:

  • Call banks immediately to stop transfer.
  • Contact all other parties to the transaction.
  • Contact police.
  • Change all passwords.
  • Report incident to the FBI Internet Crime Complaint Center:
  • File report with REALTOR® associations.
  • Call the Attorney General.


Police: Emails hacked in wire transfer fraud

The Royal Cayman Islands Police Service Financial Crime Unit is investigating a number of incidents where bank details have been obtained by hackers who got into email accounts and then used information obtained from those accounts to send fraudulent wire instructions to various banks in Cayman.A police press release on the matter did not identify the specific banks hit by the wire transfer fraudsters.

According to police, scam victims have sent legitimate wire instructions to respective banks via email requesting wire transfers to various parts of the world.

Once that private information is provided, computer hackers can come into possession of bank account numbers, bank balances, scanned signatures and other confidential information.  The hackers/fraudsters then send subsequent emails from the victim’s email account instructing the local banks to wire further funds to various destinations.

The Financial Crime Unit believes hundreds of thousands of dollars have been fraudulently wired from the Cayman Islands to the US, Hong Kong, Singapore, Malaysia, Denmark and other jurisdictions.  By the time attempts are made to recall the fraudulent wires, the funds have been collected and it is too late.

According to a statement on the matter from police: “The Financial Crime Unit does not recommend sending banking details via email.  A telephone call to the bank could save hundreds of thousands of dollars and heartache in the long run.”