Fraudsters are using clever impersonation techniques to siphon millions from unprotected businesses
When Keith McMurtry, corporate controller of Scoular, a 124-year-old US grain-trading and storage company, was asked by his chief executive to wire $17.2m to an offshore bank account, he did not question it.
Chuck Elsea told Mr McMurtry in a top-secret email that Scoular was in talks to acquire a Chinese company. The chief executive instructed him to liaise with a lawyer at KPMG who would provide the wiring instructions to an account in China.
“We need the company to be funded properly and to show sufficient strength toward the Chinese. Keith, I will not forget your professionalism in this deal, and I will show you my appreciation very shortly,” Mr Elsea wrote in an email in June 2014. Over three transactions, Mr McMurtry transferred the $17.2m to an account in the name of Dadi Co at Shanghai Pudong Development Bank, according to an affidavit signed by an agent with the Federal Bureau of Investigation and filed in a Nebraska court.
The email was a fraud. Criminals impersonated Mr Elsea by creating a phoney email account in his name. They also set up fake email and phone numbers in the name of a real KPMG partner, who later said he had never heard of Scoular. US authorities have traced the emails and phone number to Germany, France, Israel and Russia.
Scoular, which is ranked 66th on Forbes’ list of the US’s largest private companies with revenues of $5.9bn, is one of several thousand companies that have fallen victim to a new type of fraud known as business email compromise schemes which have netted $800m in the past six months.
In January 2015, Xoom, an international money transfer company bought for $890m last July by PayPal, a pioneer in digital payments, said an employee in its finance department was duped into transferring $30.8m in corporate cash to an overseas account.
Ubiquiti Networks, a US manufacturer of wireless networking products, disclosed that its finance department was targeted last June by an imposter and transferred $46.7m to overseas accounts. After discovering the fraud the company began legal proceedings and has recovered $8.1m.
More than 12,000 businesses worldwide have been targeted by the scams, also known as CEO email schemes, between October 2013 and this month. The transactions have netted criminals $2bn, according to the Internet Crime Complaint Center, an intelligence and investigative group within the FBI that tracks computer crimes. Companies large and small, across 108 countries, have been hit and the threat is growing, law enforcement officials say.
“It has gotten quite out of hand,” says Mitchell Thompson, a supervisory special agent and head of the financial cyber crimes task force in the FBI’s New York office.
The criminals are “becoming more brash”, he says, by introducing third parties, such as law firms and consultants, to carry out the fraud. They have also become more sophisticated about how they troll potential victims.
“They’re using social media a lot against us. They might send a spam email intentionally to see that the executive is out of the office, [making] it prime time to target. They might look on Facebook and see that [the chief executive is] travelling to Europe or Australia so they know you’re in the air for a certain amount of time” and have a window to strike, Mr Thompson says.
Tricking people using the internet to steal money is hardly new. There have been criminal groups taking advantage of users of dating websites and fundraisers for disasters or terrorist attacks. A decade ago authorities were flooded with complaints of bogus Nigerian email scams and false lottery winners.
Criminals use a variety of tactics. Sometimes they gain access to executives’ emails by hacking into the accounts using phishing emails. The accounts of chief executives can also be spoofed by changing a letter or replacing a company’s official email service with a Gmail account. The phoney account created to mimic the KPMG lawyer used the suffix @kpmg-office.com, a fake address convincing enough to trick someone who is not checking carefully.
The criminals usually impersonate the executive and order the transfer, often through a second account they secretly control, such as the one said to belong to the KPMG lawyer. The money is sent to accounts in Asia or Africa, where it is harder for authorities to recover. By the time the company realises it has been duped, authorities say, the money has long gone.
Mr McMurtry told the FBI that he was not suspicious of the transfers since Scoular was discussing an expansion in China and he had been working on an annual audit with KPMG, according to the FBI affidavit. Mr McMurtry, who is no longer with Scoular, did not respond to requests for comment. Scoular also declined to speak.
The scam began simply enough. Mr McMurtry received an email purporting to be from Mr Elsea. “I have assigned you to manage file FT-809,” the bogus email said. “This is a strictly confidential operation, which takes priority over other tasks. Have you already been contacted by Rodney Lawrence [the KPMG lawyer]?” It went on: “This is very sensitive, so please only communicate with me through this email, in order for us not to infringe SEC regulations.”
The following day “Mr Elsea” sent another email stating that the transfer was urgent and he should “proceed asap with the wire to the same beneficiary and bank account as yesterday”.
FBI agents traced the phoney email account in Mr Elsea’s name to Germany. The KPMG email name was linked to a server in Moscow. The phone number provided was traced to a Skype account registered in Israel.
Scoular’s lawyers told the FBI that Wells Fargo said Dadi — the name on the account in Shanghai where Mr McMurtry sent the money — manufactured army boots. Dadi claimed to the bank that the wire transfers were part of a sales contract for the manufacture of boots, according to the FBI affidavit. Scoular said it did not purchase boots.
Mr Lawrence, the KPMG lawyer whose identity was used in the email scheme, is the global leader of KPMG’s international tax services. When interviewed by the FBI he told them he was not familiar with Scoular and had not spoken with anyone at the company, according to the affidavit.
The FBI obtained a court order to seize the funds held at Shanghai Pudong Development Bank but was told that the account had been closed and the funds transferred.
Business email compromise crimes are “a huge” problem, says Austin Berglas, head of cyber investigations at K2 Intelligence and a former chief of the FBI’s cyber branch in New York. Executives are so reliant on email they do not pick up the phone to confirm the transaction and “there is no second check,” he adds.
Some of the email scams are similar, suggesting they come from the same criminal organisation.
The FBI and US Justice Department have several investigations under way. Over the past 12 months the FBI has put more intelligence analysts on the case and have liaised with law enforcement agencies worldwide. “We will open cases this year and we will make arrests this year,” says James Barnacle, chief of the FBI’s money laundering unit.
Glen Wurm, director of accounting at AFGlobal Corp, which makes products for the aerospace, oil and gas industries, received an email in May 2014 similar to that sent to Scoular.
Purportedly from Gean Stalcup, the company’s chief executive, it said: “Glen, I have assigned you to manage file T521. This is a strictly confidential financial operation which takes priority over other tasks. Have you already been contacted by Steven Shapiro [attorney KPMG]?”
Mr Wurm was told not to speak to anyone and was directed to wire $480,000 to an account at the “Agriculture Bank of China”, according to legal documents. The hacker mimicked the tone Mr Stalcup used with Mr Wurm, according to a lawsuit that AFGlobal filed against its insurer Federal Insurance.
Six days later, Mr Shapiro contacted Mr Wurm confirming he had received the transfer, adding that he needed another $18m, according to a lawsuit. At this point Mr Wurm became suspicious and said he could not send so much money without alerting senior executives.
It was too late: the bank account had been emptied. AFGlobal is suing Federal Insurance and Chubb, its parent company, seeking more than $1m for allegedly breaching its contract by not covering the claim. Chubb has declined to comment.
Mr Thompson has declined to discuss either scheme but says criminal groups copy successful tactics. While some schemes have been as large as $90m, the average loss is $120,000.
“The ones you don’t hear about are the smaller corporations that send $50,000. They’re saying, ‘I’m not going to make payroll, we’re going to close our doors’ as a result of the fraud,” Mr Thompson says.
There is little that companies can do to recover the funds. Banks are not required by law to reimburse a company that makes a transfer. Cyber insurance policies might not cover a fraud against a company if its network has not been hacked.
“The bank will look at the totality of what the company has done to protect itself and whether or not they’re adhering to the agreement that the company has signed associated with the initiation of any of these wires,” says Doug Johnson, senior vice-president of overseas payments and cyber security at the American Bankers Association. One good practice is requiring the approval of two people, he says.
That practice is not fail-safe, however.
Like AFGlobal, Medidata Solutions, a clinical technology company, fell victim to email fraud in September 2014.
An employee in accounts received an email from an executive requesting a money transfer, according to a lawsuit filed in a federal New York court against Federal Insurance. The email included an image of the executive’s face and his signature.
Like the other alleged scams, the email included the name of a lawyer, who would act as a liaison for the employee. The employee told the lawyer that he needed the approval of two others before a $4.7m transfer could be made.
The fraudsters had a solution, though. Later that day, two employees with authority to sign off on the transfer were emailed instructions, purporting to be from the chief executive of Medidata, telling them to approve the wire to a bank account in China.
The transfer went through. Two days later, an email from the lawyer told the same employees to initiate a second transfer of $4.8m. One of the employees had grown nervous and called the executive direct — stopping the fraud and saving millions for the company.