DOJ's Business Email Compromise Takedown Illustrates Pervasiveness of Internet Fraud Schemes
On June 12, 2018, the U.S. Department of Justice announced the internationally coordinated arrests of 74 individuals involved in a series of multimillion-dollar business email compromise schemes ("BEC"). Although these pervasive schemes can take many forms, in a BEC, a hacker generally compromises a company's email server and performs some level of reconnaissance to identify the email account of a company employee/executive with access to, or authority for, company finances. Once identified, the hacker will use the compromised email account to impersonate the account owner to redirect authentic wire transfers to bank accounts controlled by the criminal enterprise, or to request the company to provide, and send to the criminal enterprise, authentic bank checks.
Although money is usually the principal target of these criminal enterprises targeting businesses, BECs also regularly target tax records of individual company employees to commit additional fraud. Businesses that regularly perform wire transfer payments and communications with foreign suppliers or businesses have been particularly vulnerable to BECs.
In illustrating the continued prevalence of this cyber threat, the Internet Crime Complaint Center ("IC3") indicates that in 2017, reported BECs alone caused losses of $676 million to companies and individuals, a figure that comprised nearly half of all reported losses due to cybercrime. Moreover, IC3 indicates that BECs have caused $3.7 billion in losses since IC3 began keeping statistics on these schemes.
A company's best defense against BECs is to proactively maintain adequate cybersecurity and data privacy measures. As part of these measures, employees should be trained on BEC risk in particular, as well as on how to identify suspicious emails to prevent unwitting compromise of company email accounts and networks. If a compromise occurs and a criminal enterprise is successful in diverting a wire or check to an unauthorized account or recipient, companies should be prepared to quickly coordinate with their banks and law enforcement to attempt to stop the transaction or recover sent funds.
For further information, please contact your principal Firm representative or the lawyers listed below. General email messages may be sent using our "Contact Us" form, which can be found at www.jonesday.com/contactus/.
James T. Kitchen
Mauricio F. Paez
Lisa M. Ropple
Aaron D. Charfoos
Jones Day publications should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information purposes only and may not be quoted or referred to in any other publication or proceeding without the prior written consent of the Firm, to be given or withheld at our discretion. To request reprint permission for any of our publications, please use our "Contact Us" form, which can be found on our website at www.jonesday.com. The mailing of this publication is not intended to create, and receipt of it does not constitute, an attorney-client relationship. The views set forth herein are the personal views of the authors and do not necessarily reflect those of the Firm.