$20 billion! According to the FBI’s Internet Crime Complaint Center (IC3), between October 2013 and December 2023, more than 158,000 business email compromise (BEC) incidents were reported that involved U.S. victims and over $20 billion in losses.
If you stacked freshly minted $1 bills, the stack would reach over 1,300 miles high. The actual losses are undoubtedly higher, as many BEC attacks go unreported to IC3.
BEC, also known as email account compromise (EAC), typically involves social engineering and a malicious digital link to capture someone’s email login credentials, allowing unauthorized access – especially when multifactor authentication is not utilized. This email access is then typically leveraged to (1) gain unauthorized access to financial accounts through online password resets to take over the accounts and attempt to steal funds or (2) send and receive emails impersonating the email account owner to attempt to redirect funds owed to the email account owner or their company for products or services provided, or divert funds that are due to one of their clients.
Expeditious response is critical.
In general, the more time that has passed since the funds were sent prior to reporting the fraud to the sending financial institution (e.g., bank or credit union), the slimmer the chances of recovering the funds. It is also advisable to report the fraud to the financial institution where the funds were sent as soon as possible, too, to decrease the likelihood the funds can continue to move in the event the funds have not already moved elsewhere.
These funds often make it out of the U.S. This is generally where victims of these BEC-enabled fraud stop, and the funds are never recovered.
Here’s How You Might Still Recover the Funds
The Rapid Response Program (RRP) and the Financial Fraud Kill Chain (FFKC) it leverages are critical to recovery efforts when funds stolen through cyber-enabled fraud are wired internationally.
It has been almost a decade since the creation of the RRP, but most people I bring this important program up to still are not familiar with it – including business professionals responsible for attempting to recover fraudulently stolen funds. Hence, this is why I am writing this article.
Through the RRP, the Financial Crimes Enforcement Network (FinCEN) helps victims and their financial institutions through the Financial Fraud Kill Chain (FFKC) recover stolen funds wired internationally as the result of certain cyber-enabled financial crime schemes, such as BECs and financial account takeovers.
The RRP is a partnership between FinCEN; U.S. law enforcement (including the FBI, the Secret Service, Homeland Security Investigations (HSI), and the Postal Inspection Service (USPIS)); and foreign partner agencies that, like FinCEN, are the financial intelligence units (FIUs) of their respective jurisdictions.
As part of the FFKC, FinCEN leverages its authority to share financial intelligence rapidly with counterpart FIUs and encourages foreign authorities to interdict the transactions, freeze funds, and stop and recall payments using their authorities under their own respective legal and regulatory frameworks.
In February 2022, FinCEN reported the RRP had been used to confront cyber threats involving approximately 70 foreign jurisdictions to date, and had the capacity to reach more than 160 foreign jurisdictions through FIU-to-FIU channels.
Through these collaborative efforts, FinCEN reported having successfully assisted in the recovery of over $1.1 billion for U.S. victims since the program’s inception in 2015.
A victim of a cyber-enabled crime, or the victim’s financial institution, must report the fraud to law enforcement to initiate the FFKC; and the FFKC is more likely to be triggered if the international wire was in an amount of at least $50,000.
To request assistance from federal law enforcement to initiate the FFKC, a victim or the victim’s financial institution may start the process by filing a report with federal law enforcement.
In particular, the event can be reported through the FBI’s Internet Crime Complaint Center (IC3) or the nearest FBI or USSS field office. Federal law enforcement may then request FinCEN’s assistance to share financial intelligence with foreign FIUs in an attempt to recover the crime proceeds.
While FinCEN does not ensure the recovery of internationally wired stolen funds, the RRP has had greater success in recovering funds when international wire transfers of fraudulently stolen funds are reported to law enforcement within 72 hours of the transaction.
In March 2022, in a statement before the House Judiciary Committee, the FBI’s Cyber Division Assistant Director Bryan Vorndran shined a light on the FFKC’s success. Vorndran reported that during its fiscal year 2021 the FBI’s Recovery Asset Team (RAT) leveraged the FFKC 1,726 times with a 74 percent success rate and successfully froze more than $328 million that could then be returned to individual and business victims of cyber fraud.
Even if cyber-enabled fraud does not meet the above criteria, reporting the fraud to the FBI through IC3 may still enable the event to be tied to other events and investigations and attempts to recover funds and/or hold the responsible parties accountable.
What Can Be Done to Be Proactive?
Steps can be taken to help ensure funds aren’t sent out in the first place, as well.
For example, take steps to ensure sustained awareness of cyber-enabled fraud and its indicators among those who may encounter it (e.g., those with vendor billing relationships) and have processes in place to validate the legitimacy of where funds are sent (e.g., telephone calls to a vendor’s billing contact to confirm the change of bank account information or leveraging third-party data through a vendor to help validate bank account ownership).
Leveraging multifactor authentication for email and financial accounts can reduce fraud risk related to account takeovers. This risk reduction includes adopting available more secure multifactor options (e.g., an authenticator application on a mobile phone and SMS text one-time passcodes are generally more secure than email one-time passcodes).
Organizations can also document financial institution and law enforcement reporting steps within procedures to help ensure sustainable and timely response when fraud is discovered and increase funds recovery likelihood.
If your organization needs assistance in implementing a fraud risk management strategy, assessing the maturity and/or effectiveness of your fraud risk management practices, assessing your fraud risk to help prioritize efforts, or developing awareness content or procedures, contact our related Business Advisory leaders: James Rumph in our Columbus office or Tom Pratt and Brian Webster in our Pittsburgh office.
If your organization needs cybersecurity risk mitigation or remediation consulting, contact our Cybersecurity leader Carl Kriebel.
About Schneider Downs Business Advisory
Our experienced team of business advisors, consisting of Certified Fraud Examiners (CFEs), Certified in Financial Forensics (CFFs) and Certified Mergers and Acquisition Advisors (CM&AAs), leverages their industry expertise to maximize value and minimize risk proactively or during acquisitions, litigation, arbitration, corporate reorganization and other major business events. To learn more, visit our dedicated Business Advisory page.
