In April 2020, the FBI issued four notices detailing the increased level of cybercrime seeking to exploit the COVID-19 (coronavirus) pandemic.
Cybercriminals are exploiting the pandemic in countless ways, from preying on human vulnerability to taking advantage of the increased use of online banking and electronic payments. The scams include credential phishing, spam email campaigns, malware, and business email compromise (BEC).
According to the FBI’s Alert No. I-040120-PSA, Cyber Actors Take Advantage of COVID-19 Pandemic to Exploit Increased Use of Virtual Environments (Apr. 1, 2020), its Internet Crime Complaint Center received over 1,200 complaints as of March 30, 2020. The FBI Alert warns that “during this pandemic, BEC fraudsters have impersonated vendors and asked for payment outside the normal course of business due to COVID-19.” As defined by the FBI’s Internet Crime Report (2019), BEC “is a sophisticated scam targeting both businesses and individuals performing a transfer of funds. The scam is frequently carried out when a subject compromises legitimate business email accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds.” In 2019, there were 24,000 complaints of BEC scams, with a total loss of $1.7 billion.
On April 6, 2020, the FBI issued a press release, FBI Anticipates Rise in Business Email Compromise Schemes Related to the COVID-19 Pandemic, in which it detailed recent examples of BEC attacks:
- A financial institution received an email allegedly from the CEO of a company, who had previously scheduled a transfer of $1 million, requesting that the transfer date be moved up and the recipient account be changed “due to the Coronavirus outbreak and quarantine processes and precautions.” The email address used by the fraudsters was almost identical to the CEO’s actual email address with only one letter changed.
- A bank customer was emailed by someone claiming to be one of the customer’s clients in China. The client requested that all invoice payments be changed to a different bank because their regular bank accounts were inaccessible due to “Corona Virus audits.” The victim sent several wires to the new bank account for a significant loss before discovering the fraud.
Also on April 6, 2020, the FBI issued a further warning, Money Mule Schemes Exploiting the COVID-19 Pandemic. The FBI anticipates a rise in work-at-home schemes to recruit money mules to wittingly or unwittingly facilitate the laundering of fraudulent funds transfers.
On April 13, 2020, the FBI issued another release, Advance Fee and BEC Schemes Related to Procurement of PPE and Other Supplies During COVID-19 Pandemic. The FBI’s warning reports on evolving schemes being utilized to exploit the coronavirus pandemic.
The FBI is often the first place to turn for assistance when a business is the of a cyberattack that results in fraudulent wire transfers or ACHs. If contacted within 48 hours of the theft and a loss threshold is met, the FBI may be able to identify whether any of the funds may be recovered.
The next option would be potentially responsible third-parties. L&R recently presented a paper at an American Bar Association Conference, titled Technology and Salvage: Using Social Media in Recovery and Allocating Cybercrime Funds Transfers to Third Parties (Jan. 31, 2020), that discusses the latest trends in cybercrime involving fraudulent transfers and how losses are allocated between businesses and third-parties, particularly banks.
Generally, the focus is on the beneficiary’s bank in the business email compromise scenario and on the receiving bank in the malware/account takeover situation.
As detailed in L&R’s recent paper, the beneficiary’s bank (i.e., the bank of the beneficiary of the funds transfer where the funds are ultimately transferred) has potential liability exposure for fraudulent funds transfers arising in the business email compromise scenario under any of the following: (1) the bank “knows” that the name and account number on the wire transfer order refer to different persons; (2) improper bank conduct took place before the funds transfer, such as at account opening; (3) improper bank conduct took place after the wire transfer; or (4) where the bank accepted funds when it knew or should have known that the funds were fraudulently obtained.
In the malware/account takeover scenario, the receiving bank (i.e., generally the customer’s bank from where the transfer originated) has liability exposure for fraudulent funds transfers, unless the bank proves: (1) the bank and customer agreed that the authenticity of a payment order would be verified through a “security procedure;” (2) the security procedure agreed upon is “commercially reasonable;” (3) the bank processed the payment order in “compliance” with the security procedure; (4) the bank processed the order in compliance with any written agreement or instruction of the customer; and (5) the bank accepted the payment order in “good faith.”
For further information, contact Salvatore Scanio at sscanio@ludwigrobinson.com or 202-289-7605 or Robert Ludwig at rludwig@ludwigrobinson.com or 202-289-7603.