Publications

E-mail Account Compromise and Wire Fraud

October 16, 2015

E-mail Account Compromise (EAC) is a sophisticated scam that targets individuals. Professionals at financial and lending institutions, real estate companies and law firms are particularly at risk.

How Does the EAC Scam Work?
Cyber criminals use social engineering or computer intrusion techniques to compromise e-mail accounts. In many cases, they first gain access to a legitimate e-mail address for reconnaissance purposes and then create a spoofed account. The spoofed account closely resembles the legitimate account, but is slightly altered by adding, changing, or deleting a character. It is designed to mimic the legitimate e-mail in a way that is not readily apparent. This is then used to initiate unauthorized wire transfers. The funds are then directed to money mules in the United States or financial institutions outside of the US. By compromising firm e-mail accounts, cyber criminals can use them to request wire transfers from clients' bank accounts. Criminals are increasingly starting to follow up on their wire transfer requests by calling to confirm the transactions or to comply with wire transfer protocols, which makes the transaction appear more legitimate.

The corruption of e-mail accounts in law firms can result in the exposure of client bank account numbers, e-mail addresses, signatures, and confidential information related to pending legal transactions, or can be used to request wire transfers from trust fund and escrow accounts managed by the firm.

In the real estate industry, transactions between sellers and buyers are intercepted, altering fund transfer instructions. Realtors' addresses can be used to contact an escrow company and redirect commission proceeds to an alternate bank account or to gain access to client information.

Steps to Take If You Are the Victim of the EAC Scam:

  • Contact your financial institution immediately
  • Contact law enforcement
  • Request that your bank reach out to the financial institution where the fraudulent transfer was sent
  • File a complaint at www.IC3.gov, regardless of dollar loss. Provide any relevant information in your complaint and identify that your complaint pertains to the EAC scam.

How to Protect Yourself:

  • Do not open e-mail messages or attachments from unknown individuals
  • Be cautious of clicking links within e-mails from unknown individuals
  • Be aware of small changes in e-mail addresses that mimic legitimate e-mail addresses
  • Question any changes to wire transfer instructions by contacting the associated parties through a known avenue
  • Have a dual step process in place for wire transfers; this can include verbal communication using a telephone number known by both parties
  • Know your client's typical wire transfer activity and question any variations
  • share with