An emerging global threat known as the ‘Business Email Compromise fraud scheme’ is a very sophisticated large-scale computer-enabled crime. This scam targets businesses working with foreign suppliers and/or businesses that routinely perform wire transfers. Scammers often pose as an executive or employee by compromising legitimate e-mail accounts and request invoice payments to fraudster-controlled bank accounts. Since 2013, more than 7,000 U.S. business have fallen victim, resulting in more than $740 million in losses, according to the FBI.
The client, Wesco Industrial Products, Inc. (Wesco), an equipment manufacturing company located outside of Philadelphia, was one of those victims. Wesco was able to completely recover its financial loss after a digital forensics investigation conducted by ITAcceleration.
In a series of emails that began in December 2014, a request, seemingly from a Wesco employee in Taiwan, was sent to Wesco executives about a bank change request for a vendor. The fraudulent emails contained detailed information on invoice numbers, amounts and contacts. Upon receipt of a confirmation email, Wesco had every reason to believe the request was valid, and wire transferred the payment to the new bank account.
However, Wesco became aware of the issue after their vendor confirmed that open invoices believed to be paid were in fact not. Wesco had performed their own investigation and provided a narrative to the commercial insurance carrier based on a summary of identified “good” emails and “bad” emails. The carrier stated there was insufficient evidence for the claim and it was denied.
In August 2015, Wesco president George Galla contacted David Yarnall, Principal and Director of Forensic Computing at ITAcceleration (ITA) to perform a formal audit and investigation.
The Digital Forensics Investigation
Wesco’s IT staff provided ITA with a spreadsheet summarizing communications between parties and identifying what they believed to be fraudulent emails. There were multiple parties involved:
- contacts from Wesco North America;
- a Wesco contact in Taiwan; and
- the vendor, a supplier in China.
ITA began to break down the facts. Since much of the communication occurred in Asia and was written in respective languages, ITA engaged a translator to corroborate the messages. As an investigator, everyone was considered. To complicate matters, the Wesco contact in Taiwan was using an email account hosted by a Taiwan hosting provider. In addition, all questions and follow-ups needed to be communicated via the Wesco Taiwan contact to address the language barrier and time differences.
- ITA’s first action item was to virus scan all computers identified in the email exchanges. Aside from benign adware, nothing was found to support any type of malware concern.
- Simultaneously, ITA reviewed the spreadsheet and email messages that Wesco’s IT staff identified as either valid or fraudulent. They confirmed questionable emails by calling senders and recipients directly to validate that certain individuals had no knowledge of either sending or receiving the emails.
- Then, ITA investigators started to notice trends. On the spreadsheet, Wesco’s IT staff also provided IP addresses from the email headers they were able to view. They determined that a 139.xx.xx.xx address appeared in every email identified as fraudulent.
Next, the IP addresses needed to be validated from all parties to narrow down the possibilities. These included Wesco North America; the Wesco Taiwan contact’s home and office locations; the Taiwan email hosting provider; and the Chinese supplier. Interestingly, the Taiwan email provider had two potential IP addresses:
- One for direct connection with the email server from an email client such as Outlook (203.xx.xx.xx);
- And a second IP address for web browser connections (139.xx.xx.xx).
It was determined that the suspected fraudulent emails all originated from the 139.xx.xx.xx address, which was confirmed as a legitimate IP address from the Taiwan email hosting provider, SeedNet.
ITAcceleration questioned SeedNet about IP addresses connecting to their web front-end to create the emails suspected as fraudulent. SeedNet was very cooperative and provided critical information to pinpoint the country origin of the fraud.
Three IP addresses were identified that authenticated the Taiwan email provider from a web browser connection:
- a 39.xx.xx.xx; and
- two separate 175.xx.xx.xx addresses.
These IP addresses, confirmed by SeedNet and by ITA via IPLocation.net, originated in Cambodia.
This information provided the evidence needed to corroborate Wesco’s claim that a fraudulent third party originating in Cambodia, had unauthorized access via SeedNet’s webmail system in order to access the Wesco employee’s email. The fraudster proceeded to draft, respond to, and send emails posing as the employee to initiate the fraudulent bank change request and wire transfer activity. This fraudulent activity is known as Business Email Compromise, and it’s an emerging global threat.
BEC Is a Known Threat
Upon conducting research on wire fraud schemes similar to the Wesco case, ITAcceleration discovered a US Government fraud alert from the Federal Bureau of Investigation, the Financial Services Information Sharing and Analysis Center (FS-ISAC), and the United States Secret Service stating in part:
FS-ISAC members and federal law enforcement agencies continue to report an increase in wire transfer fraud against U.S. businesses through a scam referred to as “Business E-mail Compromise” (BEC). A BEC is a type of payment fraud that involves the compromise of legitimate business e-mail accounts for the purpose of conducting an unauthorized wire transfer. After a business e-mail account is compromised, actors use the compromised account or a spoofed account to send wire transfer instructions. The funds are primarily sent to Asia, but funds have also been sent to other countries all over the world. Most of the BEC incidents involve the compromise of an e-mail account belonging to a business’s CEO/CFO, in order to send an e-mail to an employee with the ability to conduct wire transfers.
Additionally, other incidents involve the compromise of a vendor/supplier’s e-mail account with the intention of modifying the bank account associated with that vendor/supplier. The latter scheme may also be labeled as vendor fraud and involves a last minute change of the bank and account number for future payments.”
Leveraging the support of ITAcceleration, the digital forensics investigation was completed in one month. A report was filed by David Yarnall to the insurance carrier on Wesco’s behalf. Given substantive proof of the source of fraudulent activity, the insurance carrier processed Wesco’s wire fraud claim in full.
To avoid becoming a victim of a business email compromise fraud scheme, visit the FBI’s website for strategies to recognize this scam and tactics for improving security that can be implemented at your company.
ITAcceleration provides a unique and beneficial service as digital forensic experts. They left no stone unturned with a thorough and detailed investigation, and we are grateful to have a partner who uncovered the source of the fraudulent activity relatively quickly that brought about recovery of our funds.” – George Galla, president, Wesco Industrial Products, Inc.