It was a $1 million mystery.
In May 2018, Happy Egg Co. of Rogers wondered why a customer was nearly $1 million in arrears. The customer, Woodland Partners Inc. of Walpole, Massachusetts, wondered what had happened to nine payments totaling $972,500 it sent to the bank account that an employee from Happy Egg had designated in an email in March.
Both companies ultimately realized that the change-of-account email from the purported employee was a scam.
That type of fraud, known as business email compromise (BEC) has been on the rise and shows no signs of slowing down.
In 2017, the number of BEC complaints to the FBI was 15,690, nearly double that of 2015, with losses of $676.1 million, an increase of 157 percent since 2015, according to the FBI Internet Crime Report.
BEC crimes are increasing because they are successful, said Shun Turner, supervisory special agent for the cyber squad of the FBI’s Little Rock office. “Most of the people that they are targeting are not that tech-savvy or maybe lack a little cyber awareness,” he said.
In December, the IRS warned tax preparers about email scams that have employees requesting changes to their payroll direct deposit accounts or wire transfer.
“These emails generally impersonate a company employee, often an executive, and are sent to payroll or human resources personnel,” the IRS said in a news release.
The email appears to comes from an employee who is asking to change his or her direct-deposit account and provides a new bank account number.
“This scam is usually discovered pretty quickly, but not before the victim has lost one or two payroll checks,” the news release said.
Turner said the FBI has been educating businesses about BEC scams and how they might avoid becoming a victim.
An easy step is calling a known number of the person who sent the email to verify the message. Unfortunately, Turner said, “a lot of times that second method of authentication of who am I actually talking to is just not being done.”
The email spoofs can be difficult to spot, said Josh Pauli, who teaches cybersecurity at Dakota State University in Madison, South Dakota.
“The whole point is that they’re not easily noticeable,” Pauli said. “As time has gone by, the social engineering aspect of it has gotten better.”
In 2018, a favorite target of hackers was the real estate industry, said Jeremy Richards, principal security researcher at the cybersecurity company Lookout of San Francisco.
“What these phishers are doing is they’re monitoring these real estate deals,” Richards said. “On the day of the close, … they’ll chime in and say that the down payment has to go to this … new routing number.”
Businesses aren’t alone in being duped. The FBI’s Turner said that a woman who was trying to buy a house last year was prompted by an email to transfer around $35,000 to someone she thought worked for a title company.
She didn’t find out until a week later that the money went to someone not connected to the title company, Turner said. “That money was lost,” he said.
Turner said that companies that act quickly have a good chance of getting their money back. First, companies need to contact their banks and then file a report with the FBI’s Internet Crime Complaint Center at IC3.gov.
And to prevent a loss, businesses can buy a cyber policy and add what’s called social engineering coverage, said Wes Adams, vice president of commercial property and casualty at Stephens Insurance LLC, a division of Stephens Inc. of Little Rock.
“We’ve been recommending this coverage for years now,” Adams said. “And it’s been a hard sell, but it’s getting easier because more and more people are experiencing issues and claims.”
Happy Egg, which has the legal name of Noble Foods Inc. and sells organic eggs from free-range hens, contacted the FBI in May after the scam was discovered, according to an affidavit by FBI Special Agent Alan Lee.
The bank account into which the money had been transferred was frozen with about $550,000 still in it, said Lee, whose statement is attached to a civil lawsuit filed in September by the U.S. attorney for the Western District of Arkansas.
The FBI seized the money and filed a lawsuit to have it forfeited because it stemmed from proceeds traced to wire fraud.
Since neither Happy Egg nor Woodland Partners made a claim for the money in U.S. District Court, the U.S. attorney’s office received it from a default judgment in December. The proceeds were deposited into the government’s asset forfeiture fund.
In an email to Arkansas Business, Happy Egg said it has filed claims with the federal government for all funds obtained by the FBI or Department of Justice. The company "continues to closely monitor this situation, along with the FBI and U.S. Attorney’s office, to ensure it is taking all appropriate action to recover the funds and otherwise respond to this situation," the email said. "Happy Egg has also taken steps to prevent itself from being victim to similar criminal activity in the future."
Woodland Partners didn't return a call for comment. The U.S. attorney’s office for the Western District also had no comment.
Evolving Scams
Business email compromise scams come in several forms. The first versions surfaced about seven or eight years ago with fakers spoofing the email of the CEO or CFO of a company, said Anton L. Janik Jr., an attorney at the Mitchell Williams Selig Gates & Woodyard law firm in Little Rock. His practice area includes cybersecurity, privacy and data protection.
The spoofer would break into or imitate an executive’s email account and fire off emails saying he was in a foreign country and his wallet had been stolen. He would ask for a couple of hundred dollars to be wired to him.
The spoofers learned from that scam that purported orders from the boss via email can have real clout.
“If the CEO directs someone to do something, they have a pretty good shot that it will get done,” Janik said.
Largest IT Consulting Companies - ranked by number of certified technicians. Includes number of Arkansas employees, market area, services, top local executives, year founded and contact information.
In the last two to three years, the cyber threats have shifted from malicious email attachments to socially engineered appeals for specific workers to take specific actions, like wiring money to a new account, said Crane Hassold, senior director of threat research at Agari, an email security company in Foster City, California.
“The success rate for them is very low,” Hassold said.
Nevertheless, even with a success rate of less than 1 percent, “an attacker can still make tens of thousands of dollars a month from these types of scams.”
Cracked Egg
The affidavit by Lee, the FBI agent, in the Happy Egg case provided some insight into how that scam worked.
On March 9, an employee assigned to Woodland’s accounts payable received an email that appeared to be from Paul Mensing, the Happy Egg senior revenue deduction analyst.
The email referred to an attachment with the “newly updated company bank account for receiving payments,” Lee wrote, but the email had no attachment.
Three days later, the Woodland employee received another email purportedly from Mensing that included the attachment letter that changed the bank account number to an account at SunTrust Bank of Atlanta.
The letter contained several red flags overlooked by the Woodland employee. These included the address on the letter, “50 Francisco Street, Francisco, California.”
The actual address was 50 Francisco St., Suite 203, and the city is San Francisco, not Francisco — but Happy Egg had closed that office four months before the email was sent.
On March 14, Woodland updated Happy Egg’s bank account information and payments started flowing into the new account. On May 23, Happy Egg became aware of Woodland’s outstanding invoices during an accounts receivable meeting.
During its investigation, the FBI learned that Mensing thought the laptop computer he used for work had been hacked, and he reported it to his company’s internet technical support company, Edafio of North Little Rock, on March 26. “Edafio believed that ‘someone got into Mensing’s profile and forwarded Mensing’s emails,’” Lee wrote.
The FBI also learned that SunTrust Bank’s loss prevention unit had frozen the account into which Happy Egg’s money was going on May 10 “due to an unacceptable risk or loss to SunTrust Bank,” Lee said.
Pauli, the Dakota State University cybersecurity expert, said any employee who falls for a scam needs to report it as quickly as possible.
“There should be no shame in falling for it,” he said. “The attacks are very sophisticated. … Those people do put a lot of research time into making them realistic.”
(Clairification: A previous version of this article said only that Happy Egg had not filed a claim in U.S. District Court, but the company said it has filed claims with the federal government for the money the FBI recovered.)
Tips to Avoid Becoming an Email Spoofing Victim
To avoid falling for email spoofing scams, employees should learn to recognize spoof emails that sometimes include similar-looking email addresses, says Shun Turner, supervisory special agent for the cyber squad of the FBI’s Little Rock office.
To get similar addresses, a hacker has to register a domain name and then establish an email server with that name.
“They can be very tricky on how they craft their domain,” Turner said.
Creating a similar company name is easier than hacking into someone’s email account.
Using those similar email addresses could trick a CFO into thinking that an email asking for money to buy equipment is from the CEO, said Anton L. Janik Jr., an attorney at the Mitchell Williams Selig Gates & Woodyard law firm in Little Rock. His practice area includes cybersecurity, privacy and data protection.
Companies also should limit how much information is on their websites because criminals use the names and email addresses to impersonate a company official or employee in an attempt to get a colleague to wire money, said Wes Adams, vice president of commercial property and casualty at Stephens Insurance LLC, a division of Stephens Inc. of Little Rock.
Employees need to be wary of any emails that include demands for tasks to be completed as soon as possible.
“Urgency is the phisher’s best friend,” said Jeremy Richards, principal security researcher at the cybersecurity company Lookout of San Francisco. “They’re trying to circumvent standard operating procedures. … So we like to take a good, hard look at anything that is trying to generate false urgency.”
Richards suggested that employees who handle company finances regularly go through extra anti-phishing training.
And once standard operating procedures are established on how to deal with changes to bank routing numbers or payments, he recommends that employees don’t depart from those procedures, even when the sums are relatively small. Phishers often start by requesting smaller amounts, Richards said.
“They find the largest amount that they can get away with without triggering some kind of internal response,” he said.
