I nternational criminals are target-ing staff of SMEs and multina-tional companies with money transfer authority in what the US

Federal Bureau of Investigation are calling the "Business Email Compromise" (BEC) scam.

IntroductionImagine you are a member of a finance team in a Hong Kong company. You receive an email from a contact in the accounts receivable department of one of your suppliers. The email contains an invoice for a shipment of goods recently received and requests that payment be made to a new bank account not previously used for such transfers. You reply to the email asking for details regarding the account switch and receive a further email explaining that the supplier is re-organising its business and banking setup and needs the transfer as soon as possible to facilitate this process. What would you do?

Directors Beware: Business Email Compromise - The Latest Fraud Scam Threatening Hong Kong Companies

30 HKIoD: THE 21ST CENTURY DIRECTOR

Or imagine you receive an email from your CEO or Executive Director requesting that an urgent payment be made to facilitate a highly confidential transaction with a prospective overseas business partner. The CEO is out of town in a different time zone and not immediately available to discuss the payment, but it’s a relatively modest sum and you are worried that not making the payment could jeopardise the transac-tion. What would you do?

An increasing number of finance team members are making these transfers. The BEC scam takes advantage of the use of email (or instant messaging and texts) to authorise and conduct business transac-tions. Once the fraudulently induced transfers are made, the transferred money can be very difficult to recover.

A Disturbing TrendCompanies around the world are being victimised. The FBI says that it handled 2,126 cases of the BEC scam last year, with

losses totaling US$215 million. The Hong Kong Police Force have indicated anecdo-tally that they are swamped with literally hundreds of these kinds of cases, which it classifies as “technology crime”. Since 2010, there has been a 300% increase in the numbers of technology crime cases reported in Hong Kong, and a 1,900% increase in losses suffered with 80% of these losses resulting from BEC or similar scams. Further, cyber security incidents, which often go hand-in-hand with the BEC scam, doubled from 2013 to 2014.

These disturbing trends are likely the reason that in early 2015 the Technology Crime Division of the HKPF was elevated to bureau status and renamed the Cyber Security and Technology Crime Bureau.

Anatomy of A ScamThe BEC scam is simple and repeated with cookie-cutter precision in most of the cases we have seen. The elements of the scam are as follows:

31

Surveillance: The fraudster surveys the target company to gather as much information as possible to make the transfer request appear legitimate. Information gathered includes the company’s key personnel, business partners, common transactions, payment processes and normal payment cycles. A surprising amount of this information can be obtained from publically accessi-ble sources, however, the FBI suspects that much of it is obtained by fraudsters infiltrating the company's cyber security defenses. This often gives the fraudster access to emails, appointment calendars, business records and other information which make it easier to tailor a fraudulent transfer request which both appears legitimate and which often arrives at a time when key management are not available to confirm or authorise the transaction. Fraudulent email: Next, the fraud-ster sends an email to a member of the

victim company’s finance team requesting the fraudulent transfer. The email is sent from an address that is very similar to the actual address of a contact at a supplier or of a senior company executive, though it may even come from that person’s actual account if they have been hacked. The email is tailored to appear authentic by invoking inside information, and adopting the writing tone and manner-isms of the sender being imperson-ated. The emails are sent at a time when they would be expected to be received and also tend to coincide with periods of unavailability of senior management within the company who could verify or authorize the transfer. The emails request that relatively modest transfers, usually under US$1 million, be made to an overseas bank account and often attach authentic looking invoices.

Pressure: The fraudster then sends follow up emails to the targeted employee to pressure him or her into making the transfer, often without following the normal payment protocols. These emails play on the employee’s fear of making a mistake or harming a key business relationship. Once the fraudster has someone's attention, the emails will come fast and thick.

Receipt and onward transfer: Once the money is transferred to the fraud-ster's bank account it is then very quickly transferred through a number of additional bank accounts to frustrate any attempts to freeze or trace the funds. These accounts may belong to innocent "money mules" who are tricked into setting up the accounts and giving the Internet banking passwords, etc., to the fraudster. This allows the fraudster to transfer the money from account to account without ever having to enter the jurisdiction and risk criminal prosecu-tion. Once the money is onward transferred out of the recipient account, it is very difficult to trace and recover.

Further requests: Once the fraudster has successfully lured the finance department into making a transfer, he will then often make requests for additional transfers. This is particu-larly problematic in the case of supplier payment redirection because often the scam is not identified until much later when the supplier comes asking for payment of its unpaid invoices. The anonymity the Internet can provide and the difficulty in prosecuting criminals in many foreign jurisdictions embold-ens the fraudster to return to the scene of the crime again and again.

How to Respond If You’ve Been ScammedThe key to recovering scammed money is to catch the funds before they have been transferred onward from the recipient account. The victim company should immediately notify the remitting and receiving banks of the scam and put them on notice that they are dealing with the proceeds of crime and risk committing the offence of money laundering if they execute any further transfers of the money. Bringing legal counsel into the picture as soon as possible will maximize the chance of freezing the money.

The victim should also make an in-person report with local law enforcement agencies as soon as possible, particularly in the receiving jurisdiction. The police often have powers to order banks to freeze suspected proceeds of crime, without the victim needing to go through the expense and delay of obtaining a court order. The police can also take further steps to investigate the crime, but in our experi-ence these investigations very rarely lead to the recovery of the funds.

Companies, if they are publicly listed or highly regulated, should also consider whether they have any notification obliga-tions in relation to the scam, including notifying their insurers.

Preventing Being VictimizedIt may only be a matter of time before your company is targeted by this scam. The

32 HKIoD: THE 21ST CENTURY DIRECTOR

following steps can be taken to avoid being victimized:

Staff Training: Finance team staff, particular those responsible for outbound payments, should be trained to strictly adhere to formal payment procedures and to recognize the hallmarks of the BEC scam, including requests to switch payee accounts and requests to make “confidential” transfers. Staff should also be trained how to respond quickly once they discover they have been scammed.

Management accountability: Payment protocols apply to senior management as well. If a CEO is in the habit of sending payment instructions by email, or otherwise departing from normal payment procedures, they are putting the company at increased risk of being victimized by the BEC scam.

Verify: Finance staff should always scrutinize the email address of any message requesting outbound transfers, particularly where the emails shows the hallmarks of the BEC scam. Fraudulent emails are often sent from email addresses quite similar to the address of the person being imperson-ated, but the brain very easily misses these tiny differences. If money is asked to be paid into a new account, finance staff should make a telephone call to the payee to confirm instruc-tions. Do not trust inward bound calls as fraudsters have been known to call victim companies impersonating payee companies.

Cyber security: As the FBI suspects that many of these frauds are preceded by the fraudsters hacking into either staff email accounts or the company's broader IT system, companies should take steps to improve their overall cyber security, including training staff to recognize and avoid opening phish-ing emails.

Have a plan: Companies should imple-ment a response plan to quickly and effectively freeze transferred money

once a BEC scam has been discovered. The plan should set out what steps should be taken and, importantly, who is empowered to take them. The first minutes after discovery are vital and preparation can prevent the confusion, fear and paralysis that often slows down an effective response.

Business partners: The BEC scam can cause great stress to business relation-ships. Once the money is stolen, some-one will have to absorb the loss. And the situation gets even stickier where one party is defrauded on account of its counterparty having been hacked. Companies should consider address-ing the risk of BEC fraud with its various business partners, even by including language in commercial agreements on how to handle the fallout from such scams.

ConclusionBusiness Email Compromise is a global fraud trend that threatens all Hong Kong companies. Company management should take steps to address the risk and a good first step is to pass this article to your finance team. For more information, please contact the authors of this article.

33

Mr Dominic Wai is a Partner, Baker & McKenzie and Follow Member of HKIoD.Mr Aaron Bleasdale is an Associate, Baker & McKenzie.

Hackers are increasingly using the medium of “phishing” emails to trick company employees to open malicious files or Internet links that install malware on their computers. Malware can be used to access emails and appointment calendars on the infected computer, or to launch a wider intrusion of the corporate IT estate. Many SMEs do not have the resources to repel or even detect a hacker once he has penetrated the IT defenses, but phishing attacks have also been the starting point for more sophisticated attacks against many of the world’s largest, and most well defended, companies.