DPD Articles

Denver Police Warn Businesses and Residents Against Email Compromise Fraud

Denver, CO – Friday, September 22, 2017 – The Denver Police Department is seeking to prevent cases of monetary theft by raising awareness in the community about Business Email Compromise fraud. Denver Police Fraud Unit detectives receive several reports of this type of crime every month.

Here’s how it works: Criminals gain access to a business’ email system by illegal means, and then send emails requesting electronic payments or wire transfers to fraudulent accounts.

For example, in a recent case, the suspect(s) posed as known vendors through spoof emails and requested an organization change account information for money transfers. An unsuspecting employee made the changes and payments were subsequently sent to the fraudulent accounts when bills were paid. The theft was quickly recognized and reported to the organization’s financial institution and police, and most of the transferred funds were recovered.

In another case, a company’s business manager received emails that appeared to be from the chairman of the company requesting funds transfers to an out-of-state account. The transfers were completed before the employee realized the chairman’s email account had been compromised. The company froze its bank account and is working to recover the funds.

A third example of Business Email Compromise fraud involved the suspect(s) emailing fraudulent wire transfer instructions to victims who were in the process of closing on a home purchase. The email appeared to be from the title company involved in the transaction and the fraudulent instructions were followed. The funds in this case were recovered.

Recognizing Business Email Compromise fraud is challenging because the emails can appear to be legitimate and very convincing, so the Denver Police Department encourages everyone to follow these prevention tips (source: FBI):

  • Verify changes in vendor payment location by adding additional two-factor authentication such as having a secondary sign-off by company personnel or telephone calls, to verify significant transactions. Arrange this two-factor authentication early in the relationship with the vendor.  Create this arrangement outside of the e-mail environment to avoid interception by a hacker.
  • Confirm requests for transfers of funds. When using phone verification as part of two-factor authentication, use previously known numbers, not the numbers provided in the e-mail request.
  • Know the habits of your customers/vendors, including the details of, reasons behind, and amount of payments.
  • Carefully scrutinize all e-mail requests for transfers of funds to determine if the requests are out of the ordinary.
  • Be careful what you post to social media and company websites, especially job duties and descriptions, hierarchal information, and out-of-office details.
  • Be suspicious of requests for secrecy or pressure to take action quickly.
  • Do not use the “Reply” option to respond to any business e-mails. Instead, use the “Forward” option and either type in the correct e-mail address or select it from the e-mail address book to ensure the intended recipient’s correct e-mail address is used.
  • Beware of sudden changes in business practices. For example, if a current business contact suddenly asks to be contacted via their personal e-mail address when all previous official correspondence has been through company e-mail, the request could be fraudulent. Always verify via other channels that you are still communicating with your legitimate business partner.

If You Are A Victim

  • Contact your financial institution immediately upon discovering the fraudulent transfer.
  • Contact your local police department and/or local office of the FBI.
  • File a complaint, regardless of dollar loss, with www.ic3.gov

Views – 143