Reporting a rise in losses related to compromised business email systems, the National Credit Union Administration (NCUA) has sent out an alert advising credit unions of steps that can be taken to prevent email fraud. NCUA recommended that entities report instances of such fraud to the FBI’s Internet Crime Complaint Center immediately when they occur.
Credit unions that are prompt in reporting incidents to the Internet Crime Complaint Center, also known as IC3, increase the likelihood of having funds recovered after they’ve been wired under fraudulent pretenses, according to the alert.
Business email compromise describes the act of impersonating a legitimate business or person to request or access fraudulent payments. Perpetrators often compromise a victim’s email address or domain, or use publicly available services to spoof the information.
“Criminals impersonate people in a variety of industries ranging from real estate, law, religious organizations, and business vendors, and use email to initiate or redirect a wire transfer before a victim discovers the transaction,” the alert states. “They also use social engineering, spoof business email accounts, or send fake links to further these types of schemes. They typically leverage a victim's authority to pressure a target into acting quickly or secretly when handling a transfer.”
Based on data gathered by the FBI (in cooperation with financial, domestic, and international law enforcement partners) between October 2013 and May 2018, there have been more than 78,000 incidents of domestic and international business email compromise. The prevalence of such occurrences spurred the FBI to create a recovery asset team in February 2018 with the goal of quickly identifying and freezing suspicious wire transfers before funds are transferred or removed from a suspect’s account.
The alert lists the following steps credit unions can take to help prevent business email compromise fraud:
- “Never make a payment change without verifying the change with the intended recipient.
- Verify the accuracy of email addresses when checking mail on a mobile device.
- Use a two-step verification process to verify wire requests with members, and use information from previously known email addresses and phone numbers rather than what is provided in the wire transfer request.
- Require staff to investigate and verify changes to members’ personal information or business practices of the credit union’s vendors or member business accounts.
- Know the routines of members’ wire activity and contact them with any changes or concerns before sending a wire transfer.
- Verify transaction details with the recipient bank before sending a suspicious wire transfer.
- Use email spam filters to quickly identify potential fraudulent or spoofed emails.
- Create rules in the credit union’s intrusion detection system to flag emails with extensions that are similar, but different to, your credit union or members.
- Use caution posting information on social media and company websites, especially job duties/descriptions, hierarchal information, and out-of-office details.
- Implement multi-factor authentication (MFA) for corporate email accounts that requires at least two pieces of information to login (something a user knows, such as a password, and something a user has, such as a dynamic PIN).”
More self-protection strategies are outlined on the United States Department of Justice’s “Best Practices for Victim Response and Reporting of Cyber Incidents,” NCUA noted.
The National Association of Federally-Insured Credit Unions (NAFCU) noted that it also has a host of cybersecurity compliance resources intended, in part, to help credit unions mitigate email fraud risk.