Spoofed Email Impersonated Union’s Investment Manager
On the heels of the recent notice issued by the Division of Insurance regarding a targeted email scam aimed at insurance producers, the Department of Justice has announced it has secured the forfeiture of approximately $5,315,746.29 of proceeds from a business email compromise (BEC) scheme and property involved in the subsequent laundering of the proceeds. The judgment, pursuant to a court-ordered default judgment and final order of forfeiture, is the result of a civil forfeiture complaint filed by the United States in June 2024 seeking the return of the stolen funds.
According to the allegations outlined in the complaint, in January 2023, a workers union based in Dorchester, Massachusetts, was defrauded out of $6.4 million after it received a spoofed email that appeared to be from its investment manager. The email misled the workers union into transferring its funds to the wrong bank account, which was controlled by a third party.
After the workers union sent the payment, the fraudulently obtained funds were transferred through several intermediary bank accounts, with some funds transferred, or attempted to be transferred, to a cryptocurrency exchange and to various foreign bank accounts located in Hong Kong, China, Singapore, and Nigeria. Investigators also traced proceeds of the scheme to seven domestically held bank accounts, the contents of which were subsequently seized.
DOJ Explains what a BEC is
A BEC scheme is a type of sophisticated fraud scheme targeting businesses that use wire transfers as a form of payment. BEC schemes affect large global corporations, governments, and individuals, with current global daily losses estimated at approximately $8 million. Criminals compromise legitimate business email accounts through various hacking schemes, including social engineering and the use of malware. Once a business email account is compromised, a fraudulent email is sent directing the recipient of the email to unwittingly transfer funds to an illicit account. Alternatively, criminals create “spoofed” email domain names to trick people into thinking they know the sender. An email domain name is the part of an email address that comes after the “@” symbol. In email spoofing, one character in an email address is often changed or missing, thereby tricking the recipient. Criminals obtain and use privileged information to convince BEC email recipients that the transfer instructions are legitimate.
How to avoid become a victim of a BEC scheme
Verify that sender email addresses are accurate when checking mail on a cellphone or other mobile device before you open any attachments or follow any instructions and never make any payment changes without verifying with the intended recipient by phone or in person.
If you think you have been a victim of a BEC scheme,
- 1) immediately contact your bank to request a recall or reversal as well as a Hold Harmless Letter or Letter of Indemnity; and
- 2) file a detailed complaint with the Internet Crime Complaint Center at www.ic3.gov. The Internet Crime Complaint Center is run by the FBI and serves as the country’s hub for reporting cybercrime.
- Visit www.ic3.gov for updated information regarding BEC trends as well as other cyber fraud schemes.
