By Brian Monroe
September 8, 2016
Financial institutions need to more tightly knit together their anti-money laundering, fraud and cybersecurity teams to better thwart an explosion of online attacks against individuals and businesses, a criminal tactic relying on human error to compromise accounts to the tune of billions of dollars.
That is the crux of an advisory and related guidance released this week by the Financial Crimes Enforcement Network (FinCEN) that exhorts these teams to break down silos in order to tackle the rising scourge of business email compromise (BEC) and email account compromise attacks (EAC). The advisory amounts to a championing of the virtues of compliance convergence by the country’s arbiter of anti-money laundering (AML) rules.
The guidance by FinCEN is more evidence that the nation’s financial intelligence unit is taking a stronger role in countering a broader array of financial crimes. Rather than focusing most of its resources on large money laundering and terrorist financing cases, its historical imperative, FinCEN is also more deeply exploring the intersections of corruption, fraud and cybersecurity.
It’s also no surprise that FinCEN chose these two particular attack vectors to provide guidance to financial institutions, as BEC and EAC attacks can thwart even the most powerful financial crime controls, because they focus on what can be the weakest link in any banks’ cyber or fraud countermeasures – the human element.
In the schemes, criminals “compromise the e-mail accounts of victims to send fraudulent wire transfer instructions to financial institutions in order to misappropriate funds,” according to FinCEN, noting that in BEC attacks the targets are commercial customers and in EAC attacks, the bulls-eye is on personal account details.
“BEC and EAC schemes are among the growing trend of cyber-enabled crime adversely affecting financial institutions,” according to the advisory, adding that since 2013, there have been approximately 22,000 reported cases of BEC and EAC fraud involving $3.1 billion.
In some cases, the losses by the customers were absorbed by the bank to reimburse victims, but banks do have some control in attempting to lower that figure through attacking the problem in a more holistic way.
“Financial institutions can play an important role in identifying, preventing, and reporting fraud schemes by promoting greater communication and collaboration among their internal anti-money laundering (AML), business, fraud prevention, and cybersecurity units,” according to FinCEN.
Such a pronouncement by FinCEN is the “first indication that a move amongst regulators will exist to examine the inter-relationship of compliance within an organization and how they collaborate to ensure efficiency and effectiveness for thwarting all aspects of financial crime,” said ACFCS Executive Director Garry Clement.
“It is my strongly held belief that the siloed approach for compliance has hampered our collective ability to prevent the financial industry from continuing to be the conduit for financial crime activities, which includes money laundering and terrorist financing,” he continued.
The bureau further underscored this directive in detailing what specific departments in a bank have a role to play. According to the advisory itself, the guidance should be shared with:
- Cybersecurity departments
- Risk departments
- Fraud prevention units
- BSA/AML management
- AML intelligence units
- AML analysts/investigators
Compliance agility, fluidity crucial for success
The responsiveness, agility and fluidity of financial crime compliance departments are crucial to the success of preventing email compromise frauds, identifying incidents and also recovering pilfered funds. Quick reporting to law enforcement can mean greater success in retrieving stolen funds.
Working with the FBI and the U.S. Secret Service, FinCEN has “successfully assisted in the recovery of hundreds of millions of dollars in the past year,” according to the advisory.
But while the “recovery of BEC stolen funds is not assured, FinCEN has had greater success in recovering funds when victims or financial institutions report BEC-unauthorized wire transfers to law enforcement within 24 hours.”
The FinCEN BEC guidance is “good information and hopefully will kind of force the hand of banks to be more collaborative” within their financial crime compliance teams, rather than having separate silos, said a compliance officer at a mid-size bank in Texas. “It demonstrates they would like to see more” training and communication on all areas of financial crime.
Complying with the guidance, though, could be a challenge for some banks, whether small or large.
It would take at least 12-18 months to create and implement broad spectrum training that covers AML, fraud and cybersecurity, and also upgrade systems so that all teams are on the same platform or at least have access to the same monitoring and reporting systems, said the person, who asked not to be named.
Currently, the various teams for the Texas bank are generally siloed, but in the last year, AML has been more closely working with the cybersecurity division, and vice versa, attempting to detect suspicious IP addresses, while the fraud team has been more proactive in reaching out to the AML team on certain customers and also with reportable activity for SARs, said the compliance officer.
The fraud team is also trying to get the cybersecurity team involved more quickly when there are aberrant and out-of-scope requests for wires to certain locales, said the person.
“I wouldn’t say it’s perfect, but it’s working,” said the compliance officer. “We are trying to get everyone on board, but it’s a slow process.”
How BEC and EAC Schemes Work:
Unlike account takeover activity, e-mail-compromise schemes involve impersonating victims to submit seemingly legitimate transaction instructions for a financial institution to execute. In account takeover activity, criminals access victims’ accounts and are able to directly execute transactions without submitting transaction instructions.
While BEC and EAC schemes have unique aspects, as noted below, both focus on using compromised e-mail accounts to mislead financial institutions and their customers into conducting unauthorized wire transfers. Both BEC and EAC schemes can be broken down into three stages:
Stage 1 – Compromising Victim Information and E-mail Accounts:
Criminals first unlawfully access a victim’s e-mail account through social engineering or computer intrusion techniques. Criminals subsequently exploit the victim’s e-mail account to obtain information on the victim’s financial institutions, account details, contacts, and related information.
Stage 2 – Transmitting Fraudulent Transaction Instructions:
Criminals then use the victim’s stolen information to e-mail fraudulent wire transfer instructions to the financial institution in a manner appearing to be from the victim. To this end, criminals will use either the victim’s actual e-mail account they now control or create a fake e-mail account resembling the victim’s e-mail.
Stage 3 – Executing Unauthorized Transactions:
Criminals trick the victim’s employee or financial institution into conducting wire transfers that appear legitimate but are, in fact, unauthorized. The fraudulent transaction instructions direct the wire transfers to the criminals’ domestic or foreign bank accounts. Banks in Asia – particularly in China and Hong Kong – are common destinations for these fraudulent transactions.
In the scenario below, a criminal impersonates a financial institution’s commercial customer.
‘Surrounding facts and circumstances’
But uncovering email compromise schemes can be difficult, and call for a more extensive analysis of various indicia that, on their own, may not be suspicious, but when combined together and viewed through the lens of suspicious email compromise activity, should merit a deeper look.
“Success in detecting and stopping BEC and EAC schemes requires careful review and verification of customers’ transaction instructions and consideration of the circumstances surrounding such instructions,” according to FinCEN.
Some red flags could be a slightly misspelled, but very similar email from a customer or business, or instructions to send funds to Asia, a hotbed for criminal activity tied to BEC activity and a destination for illicit funds.
So banks must weigh the various indicators before reaching a gut-check threshold, an amorphous tipping point that puts more pressure on the compliance decision-makers and human analysis.
“Financial institutions are advised that no single transactional red flag necessarily indicates suspicious activity,” according to FinCEN, which put in the italics.
“Financial institutions should consider additional indicators and the surrounding facts and circumstances, such as a customer’s historical financial activity and whether the customer exhibits multiple red flags, before determining that a transaction is suspicious. Financial institutions should also perform additional inquiries and investigations where appropriate.
What are the red flags for BEC and EAC frauds?
BEC and EAC schemes are similar and, therefore, may exhibit similar suspicious behavior, which can be identified by one or more of the following red flags:
- A customer’s seemingly legitimate e-mailed transaction instructions contain different language, timing, and amounts than previously verified and authentic transaction instructions.
- Transaction instructions originate from an e-mail account closely resembling a known customer’s e-mail account; however, the e-mail address has been slightly altered by adding, changing, or deleting one or more characters. For example:
Legitimate e-mail address
Fraudulent e-mail addresses
- E-mailed transaction instructions direct payment to a known beneficiary; however, the beneficiary’s account information is different from what was previously used.
- E-mailed transaction instructions direct wire transfers to a foreign bank account that has been documented in customer complaints as the destination of fraudulent transactions.
- E-mailed transaction instructions direct payment to a beneficiary with which the customer has no payment history or documented business relationship, and the payment is in an amount similar to or in excess of payments sent to beneficiaries whom the customer has historically paid.
- E-mailed transaction instructions include markings, assertions, or language designating the transaction request as “Urgent,” “Secret,” or “Confidential.”
- E-mailed transaction instructions are delivered in a way that would give the financial institution limited time or opportunity to confirm the authenticity of the requested transaction.
- E-mailed transaction instructions originate from a customer’s employee who is a newly authorized person on the account or is an authorized person who has not previously sent wire transfer instructions.
- A customer’s employee or representative e-mails a financial institution transaction instructions on behalf of the customer that are based exclusively on e-mail communications originating from executives, attorneys, or their designees. However, the customer’s employee or representative indicates he/she has been unable to verify the transactions with such executives, attorneys, or designees.
- A customer e-mails transaction requests for additional payments immediately following a successful payment to an account not previously used by the customer to pay its suppliers/vendors. Such behavior may be consistent with a criminal attempting to issue additional unauthorized payments upon learning that a fraudulent payment was successful.
- A wire transfer is received for credit into an account, however, the wire transfer names a beneficiary that is not the account holder of record. This may reflect instances where a victim unwittingly sends wire transfers to a new account number, provided by a criminal impersonating a known supplier/vendor, while thinking the new account belongs to the known supplier/vendor. This red flag may be seen by financial institutions receiving wire transfers sent by another financial institution as the result of e-mail-compromise fraud.
In guidance, a new regulatory standard
In recent exam cycles, regulators have not been asking about how the different financial crime compliance teams are operating together and if they are more interwoven or have been cross-trained, but that could change after the FinCEN guidance, according to the Texas compliance officer.
Typically, once “guidance is put out there, the impression with regulators is that is the new standard,” said the compliance officer. “That’s not always realistic. There is also always the fear that some regulatory groups will go above and beyond what is intended” and expect more formalized financial crime cross-training and more closely interlinked teams.
But even to do that, new training models must be created that can allow the various teams – AML, fraud and cyber – to sit in the same room “and attend the training at the same time so they can hear each other’s concerns, and find out they are the same, find common ground. That will hopefully create some dialogue, because the training out there now is very specific to individual duties. There is nothing I have seen that overlaps and is brought down to the level that would allow cyber, fraud and AML to understand.”