Berks County Bar Association The Berks Barrister Spring 2021 - 23

w w w.BERKSBAR.org

Scenario 3: Business Contacts Receiving
Fraudulent Correspondence through
Compromised E-mail

An employee of a business has his or her
personal e-mail hacked.

Scenario 4: Business Executive and Attorney
Impersonation

Victims report being contacted by
fraudsters who typically identify themselves
as lawyers or representatives of law firms and
claim to be handling confidential or timesensitive matters. This contact may be made
via either phone or e-mail. Victims may be
pressured by the fraudster to act quickly or
secretly in handling the transfer of funds. This
type of BEC scam may occur at the end of
the business day or work week and be timed
to coincide with the close of business of
international financial institutions.
Scenario 5: Data Theft

Fraudulent requests are sent utilizing a
business executive's compromised e-mail.
The entities in the business organization
responsible for W-2s or maintaining PII,
such as the human resources department,
bookkeeping, or auditing section, have
frequently been identified as the targeted
recipients of the fraudulent request for W-2
and/or PII. This data theft scenario of the
BEC scam first appeared just prior to the
2016 tax season. It will peak again with this
year's tax season.

TRENDS

Real Estate Transactions

The BEC scam targets all participants
in real estate transactions, including buyers,
sellers, agents, and lawyers. The IC3 saw a
480% increase in the number of complaints
filed recently by title companies that were
the primary target of a BEC/EAC scam. The
BEC/EAC perpetrators were able to monitor
the real estate proceeding and time the
fraudulent request for a change in payment
type (frequently from check to wire transfer)
or a change from one account to a different
account under their control. I suggest a policy
of confirming wire instructions by known
telephone numbers.

HOW TO AVOID BEC

Businesses with an increased awareness
and understanding of the BEC/EAC scam
are more likely to recognize when they have
been targeted by BEC/EAC fraudsters, and
are therefore more likely to avoid falling
victim to such scams and sending fraudulent
payments.
Businesses that deploy robust internal
prevention techniques at all levels (especially
for front line employees who may be the
recipients of initial phishing attempts) have

proven highly successful in recognizing and
deflecting BEC/EAC attempts.

Some financial institutions reported
holding their customer requests for
international wire transfers for an additional
period of time to verify the legitimacy of the
request.
Some self-protection strategies:

* Avoid free web-based e-mail accounts:
Establish a company domain name and use
it to establish company e-mail accounts in
lieu of free, web-based accounts.
* Be careful what you post to social media
and company websites, especially job duties
and descriptions, hierarchal information,
and out-of-office details.
* Be suspicious of requests for secrecy or
pressure to take action quickly.

* Consider additional IT and financial
security procedures, including the
implementation of a two-step verification
process. For example:

º	Out-of-Band Communication: Establish
other communication channels, such
as telephone calls, to verify significant
transactions. Arrange this two-factor
authentication early in the relationship
and outside the e-mail environment to
avoid interception by a hacker.
º Digital Signatures: Both entities on
each side of a transaction should utilize
digital signatures. This will not work with
web-based e-mail accounts. Additionally,
some countries ban or limit the use of
encryption.

* DO NOT open spam e-mail, click on
links in the e-mail, or open attachments.
These often contain malware that may give
subjects access to your computer system.
Trainer is helpful here.

* Avoid use of the " Reply " option to
respond to any suspect business e-mails.
Instead, use the " Forward " option and either
type in the correct e-mail address or select it
from the e-mail address book to ensure the
intended recipient's correct e-mail address
is used.
* Consider implementing two-factor
authentication for corporate e-mail
accounts. Two-factor authentication
mitigates the threat of a subject gaining
access to an employee's e-mail account
through a compromised password by
requiring two pieces of information to log
in: (1) something you know (a password)
and (2) something you have (such as a
dynamic PIN or code).

* Beware of sudden changes in business
practices. For example, if a current business
contact suddenly asks to be contacted via

their personal e-mail address when all
previous official correspondence has been
through company e-mail, the request could
be fraudulent. Always verify via other
channels that you are still communicating
with your legitimate business partner.
* Register company domains that are
slightly different than the actual company
domain.

* Verify changes in vendor payment
location by adding additional two-factor
authentication such as having a secondary
sign-off by company personnel.

* Confirm requests for transfers of funds.
When using phone verification as part of
two-factor authentication, use previously
known numbers, not the numbers provided
in the e-mail request. A phone call saved
a Berks business about $100,000.00.
Sometimes the low-tech solution is the best
solution.
* Know the habits of your customers,
including the details of, reasons behind, and
amount of payments.
* Carefully scrutinize all e-mail requests
for transfers of funds to determine if the
requests are out of the ordinary.

WHAT TO DO IF YOU ARE A VICTIM

If funds are transferred to a fraudulent
account, it is important to act quickly:
* Contact your financial institution
immediately upon discovering the
fraudulent transfer.

* Request that your financial institution
contact the corresponding financial
institution where the fraudulent transfer
was sent.

* Contact your local Federal Bureau of
Investigation (FBI) office if the wire is
recent. The FBI, working with the United
States Department of Treasury Financial
Crimes Enforcement Network, might be
able to help return or freeze the funds.
* File a complaint, regardless of dollar
loss, with www.ic3.gov or, for BEC/EAC
victims, bec.ic3.gov

My thanks to the Federal Bureau of
Investigation InfraGard which provides
helpful advice and seminars for InfraGard
members regarding BEC/EAC and a variety
of cybersecurity and related matters.

Jeffrey A. Franklin chairs the
Berks County Bar Association
Technology Committee, practices
law with Prince Law Offices, P.C.
and is a principal of Brightline Tech
Solutions, LLC.
Spring 2021 | 23
http://www.berksbar.org http://www.ic3.gov http://bec.ic3.gov
Berks County Bar Association The Berks Barrister Spring 2021

Table of Contents for the Digital Edition of Berks County Bar Association The Berks Barrister Spring 2021
