Fraudsters are
using clever impersonation techniques to siphon millions from unprotected
businesses
When Keith McMurtry,
corporate controller of Scoular, a 124-year-old US grain-trading and storage
company, was asked by his chief executive to wire $17.2m to an offshore bank
account, he did not question it.
Chuck Elsea told Mr McMurtry in a
top-secret email that Scoular was in talks to acquire a Chinese company. The
chief executive instructed him to liaise with a lawyer at KPMG who would
provide the wiring instructions to an account in China.
“We need the company to be funded
properly and to show sufficient strength toward the Chinese. Keith, I will not
forget your professionalism in this deal, and I will show you my appreciation
very shortly,” Mr Elsea wrote in an email in June 2014. Over three
transactions, Mr McMurtry transferred the $17.2m to an account in the name of
Dadi Co at Shanghai Pudong Development Bank, according to an affidavit signed
by an agent with the Federal Bureau of Investigation and filed in a Nebraska
court.
The email was a fraud. Criminals
impersonated Mr Elsea by creating a phoney email account in his name. They also
set up fake email and phone numbers in the name of a real KPMG partner, who
later said he had never heard of Scoular. US authorities have traced the emails
and phone number to Germany, France, Israel and Russia.
Scoular, which is ranked 66th on
Forbes’ list of the US’s largest private companies with revenues of $5.9bn, is
one of several thousand companies that have fallen victim to a new type of
fraud known as business email compromise schemes which have netted $800m in the
past six months.
In January 2015, Xoom, an
international money transfer company bought for $890m last July by PayPal, a
pioneer in digital payments, said an employee in its finance department was
duped into transferring $30.8m in corporate cash to an overseas account.
Ubiquiti Networks, a US
manufacturer of wireless networking products, disclosed that its finance
department was targeted last June by an imposter and transferred $46.7m to
overseas accounts. After discovering the fraud the company began legal
proceedings and has recovered $8.1m.
More than 12,000 businesses
worldwide have been targeted by the scams, also known as CEO email schemes,
between October 2013 and this month. The transactions have netted criminals
$2bn, according to the Internet Crime Complaint Center, an intelligence and
investigative group within the FBI that tracks computer crimes. Companies large
and small, across 108 countries, have been hit and the threat is growing, law
enforcement officials say.
“It has gotten quite out of
hand,” says Mitchell Thompson, a supervisory special agent and head of the
financial cyber crimes task force in the FBI’s New York office.
The criminals are “becoming more
brash”, he says, by introducing third parties, such as law firms and consultants,
to carry out the fraud. They have also become more sophisticated about how they
troll potential victims.
“They’re using social media a lot
against us. They might send a spam email intentionally to see that the
executive is out of the office, [making] it prime time to target. They might
look on Facebook and see that [the chief executive is] travelling to Europe or
Australia so they know you’re in the air for a certain amount of time” and have
a window to strike, Mr Thompson says.
Tricking people using the
internet to steal money is hardly new. There have been criminal groups taking
advantage of users of dating websites and fundraisers for disasters or
terrorist attacks. A decade ago authorities were flooded with complaints of
bogus Nigerian email scams and false lottery winners.
Criminals use a variety of
tactics. Sometimes they gain access to executives’ emails by hacking into the
accounts using phishing emails. The accounts of chief executives can also be
spoofed by changing a letter or replacing a company’s official email service
with a Gmail account. The phoney account created to mimic the KPMG lawyer used
the suffix @kpmg-office.com, a fake address convincing enough to trick someone
who is not checking carefully.
The criminals usually impersonate
the executive and order the transfer, often through a second account they
secretly control, such as the one said to belong to the KPMG lawyer. The money
is sent to accounts in Asia or Africa, where it is harder for authorities to
recover. By the time the company realises it has been duped, authorities say,
the money has long gone.
Mr McMurtry told the FBI that he
was not suspicious of the transfers since Scoular was discussing an expansion
in China and he had been working on an annual audit with KPMG, according to the
FBI affidavit. Mr McMurtry, who is no longer with Scoular, did not respond to
requests for comment. Scoular also declined to speak.
The scam began simply enough. Mr
McMurtry received an email purporting to be from Mr Elsea. “I have assigned you
to manage file FT-809,” the bogus email said. “This is a strictly confidential
operation, which takes priority over other tasks. Have you already been
contacted by Rodney Lawrence [the KPMG lawyer]?” It went on: “This is very
sensitive, so please only communicate with me through this email, in order for
us not to infringe SEC regulations.”
The following day “Mr Elsea” sent
another email stating that the transfer was urgent and he should “proceed asap
with the wire to the same beneficiary and bank account as yesterday”.
FBI agents traced the phoney
email account in Mr Elsea’s name to Germany. The KPMG email name was linked to
a server in Moscow. The phone number provided was traced to a Skype account
registered in Israel.
Scoular’s lawyers told the FBI
that Wells Fargo said Dadi — the name on the account in Shanghai where Mr
McMurtry sent the money — manufactured army boots. Dadi claimed to the bank
that the wire transfers were part of a sales contract for the manufacture of
boots, according to the FBI affidavit. Scoular said it did not purchase boots.
Mr Lawrence, the KPMG lawyer
whose identity was used in the email scheme, is the global leader of KPMG’s
international tax services. When interviewed by the FBI he told them he was not
familiar with Scoular and had not spoken with anyone at the company, according
to the affidavit.
The FBI obtained a court order to
seize the funds held at Shanghai Pudong Development Bank but was told that the
account had been closed and the funds transferred.
Business email compromise crimes
are “a huge” problem, says Austin Berglas, head of cyber investigations at K2
Intelligence and a former chief of the FBI’s cyber branch in New York.
Executives are so reliant on email they do not pick up the phone to confirm the
transaction and “there is no second check,” he adds.
Some of the email scams are
similar, suggesting they come from the same criminal organisation.
The FBI and US Justice Department
have several investigations under way. Over the past 12 months the FBI has put
more intelligence analysts on the case and have liaised with law enforcement
agencies worldwide. “We will open cases this year and we will make arrests this
year,” says James Barnacle, chief of the FBI’s money laundering unit.
Glen Wurm, director of accounting
at AFGlobal Corp, which makes products for the aerospace, oil and gas
industries, received an email in May 2014 similar to that sent to Scoular.
Purportedly from Gean Stalcup,
the company’s chief executive, it said: “Glen, I have assigned you to manage
file T521. This is a strictly confidential financial operation which takes
priority over other tasks. Have you already been contacted by Steven Shapiro
[attorney KPMG]?”
Mr Wurm was told not to speak to
anyone and was directed to wire $480,000 to an account at the “Agriculture Bank
of China”, according to legal documents. The hacker mimicked the tone Mr
Stalcup used with Mr Wurm, according to a lawsuit that AFGlobal filed against
its insurer Federal Insurance.
Six days later, Mr Shapiro
contacted Mr Wurm confirming he had received the transfer, adding that he
needed another $18m, according to a lawsuit. At this point Mr Wurm became
suspicious and said he could not send so much money without alerting senior
executives.
It was too late: the bank account
had been emptied. AFGlobal is suing Federal Insurance and Chubb, its parent
company, seeking more than $1m for allegedly breaching its contract by not
covering the claim. Chubb has declined to comment.
Mr Thompson has declined to
discuss either scheme but says criminal groups copy successful tactics. While
some schemes have been as large as $90m, the average loss is $120,000.
“The ones you don’t hear about
are the smaller corporations that send $50,000. They’re saying, ‘I’m not going
to make payroll, we’re going to close our doors’ as a result of the fraud,” Mr
Thompson says.
There is little that companies
can do to recover the funds. Banks are not required by law to reimburse a
company that makes a transfer. Cyber insurance policies might not cover a fraud
against a company if its network has not been hacked.
“The bank will look at the
totality of what the company has done to protect itself and whether or not
they’re adhering to the agreement that the company has signed associated with
the initiation of any of these wires,” says Doug Johnson, senior vice-president
of overseas payments and cyber security at the American Bankers Association.
One good practice is requiring the approval of two people, he says.
That practice is not fail-safe,
however.
Like AFGlobal, Medidata
Solutions, a clinical technology company, fell victim to email fraud in
September 2014.
An employee in accounts received
an email from an executive requesting a money transfer, according to a lawsuit
filed in a federal New York court against Federal Insurance. The email included
an image of the executive’s face and his signature.
Like the other alleged scams, the
email included the name of a lawyer, who would act as a liaison for the
employee. The employee told the lawyer that he needed the approval of two
others before a $4.7m transfer could be made.
The fraudsters had a solution,
though. Later that day, two employees with authority to sign off on the
transfer were emailed instructions, purporting to be from the chief executive
of Medidata, telling them to approve the wire to a bank account in China.
The transfer went through. Two
days later, an email from the lawyer told the same employees to initiate a
second transfer of $4.8m. One of the employees had grown nervous and called the
executive direct — stopping the fraud and saving millions for the company.
