FBI 80: Learning Points

Last week, the FBI released an indictment of 80 individuals involved in internet fraud. The indictment came after several months of investigation into cyber fraudsters and their activities within the United States. Although the news of the indictment is more about the success of law enforcement to nail "one of the largest rings" of cyber fraudsters, it also conveys critical learning points for those charged with managing the risk of fraud in corporate organizations. 

Most organization’s anti-fraud strategy for cybercrime has been focused on ransomware. Little has been done with respect to business email compromise (BEC). Yet, the 2018 Internet Crime Report released by the FBI indicated a loss of about US$1.2billion from 20,373 BEC related complaints received in 2018. This should give an idea of the cost of unreported BEC incidents.

Any organization that runs on email and makes payment using bank transfers should keep a close watch on these developments through their fraud risk manager

All businesses/organizations involved in forex transactions should be concerned about the revelations in the indictment. In fact, any organization that runs on email and makes payments using bank transfers should keep a close watch on these developments through their fraud risk manager.

Regardless of their size and location, such businesses/organizations are at a high risk of being a victim of BEC. One of the victim organizations listed in FBI's indictment is an account holder with UBA, a pan African bank headquartered in Nigeria. There were other victim organizations located in China, Japan and some in the Middle East.

Update fraud risk register with BEC, conduct an immediate assessment of exposure to BEC and commence the implementation of relevant controls, assess readiness to respond to incidents of BEC.

In the light of these, organizations should, as a matter of urgency,:

• Update their fraud risk register with BEC. Most organizations have a generalized line for cybercrime or internet fraud in their risk registers. BEC should be treated as a stand alone fraud risk, thereby making it an anti-fraud priority and giving it the appropriate level of attention it deserves 
• Conduct an immediate assessment of exposure to BEC and commence the implementation of relevant controls. A higher frequency and amount of forex transactions will indicate a higher likelihood of occurrence of BEC. Controls can include two factor authentication for forex transactions and a verbal confirmation of all transaction details (as a second level authorization) by the account payable team before processing a transaction.
• Assess their readiness to respond to incidents of BEC. With the patterns demonstrated by the key actors in FBI's case, BEC response is no longer a question of "how do we respond if it happens" rather it is "how do we respond when it happens". Organizations must ensure that their anti-fraud units are adequately skilled to respond to BEC and other types of cybercrime.

BEC involves front end operators, bankers, money movers and money changers

As evident in the indictment, BEC has evolved into a more complex venture with different areas of specialization:

• There are actors ("front end operators") whose role is to penetrate an organization, hijack & divert ongoing transactions or initiate induce victim organizations to make fund transfers under a fraudulent guise. Their activity may also entail falsifying transaction documents, such as invoices, purchase orders and payment requests.
• There are actors ("bankers") who specialize in opening bank accounts with which front end operators "collect" the proceeds of their activities. The trend in the FBI case favors using corporate accounts instead of individual accounts. The group specialize in registering business names and using those names to open bank accounts.
• There are "money movers" (mostly known as mules), who withdraw (either by cash or fund transfers) the proceeds from the collection accounts. The systematic approach with which the actors in the FBI case withdrew the proceeds is worthy of note. Most collection accounts were cleared off on the same day either by cash withdrawal, transfer to others, transfers to another controlled account or a combination of any. These transaction were mostly masked to appear as if there were payment for the purchase of cars.
• There are money changers who assist in converting the proceeds into the currency preferred by the front end operators. This group’s modus operando is perhaps one of the most potent ways of layering fraudulent transactions: exchange rates are not conventional and the transactions occurs in 2 financial ecosystems simultaneously. E.g. Mr. A gives $10 to Mr. B, who is a money changer, in the US. Mr. B transfers the Naira equivalent of $10 to Mr. A's account in Nigeria. Where the conventional rate is between N360 and N365 to $1, the agreed transaction rate between Mr. A and Mr. B is usually between N250 and N300.

Corporates and law enforcement agencies need to close the gap and build a cooperative community to tackle BEC and other cybercrime.

An organization’s effort at tackling BEC ends with preventing and responding to activities of front end operators. There is little or nothing an organization can do with bankers, money movers and money changers. This is why collaboration with government and law enforcement agencies is required. Corporates and law enforcement agencies need to close the gap and build a cooperative community to tackle BEC and other cybercrime.

Government should provide an adequate means for reporting cybercrime incidents. 

Government should provide an adequate means for reporting cybercrime incidents. The FBI operates an Internet Crime Complaints Centre where victims of cyber fraud can report incidents. In the UK, victims can report to Action Fraud. In Nigeria, the cybercrime act provides for incident reporting. However, this provision has not been effective mostly due to lack of enforcement and an adequate structure for incident reporting.

Finally, fraud risk managers in Nigeria currently work in silos, even within the same industry. If fraudsters collaborate to perpetuate their acts, it is only reasonable that anti-fraud professionals from all industries collaborate to effectively tackle BEC, other cybercrime and fraud in general.