Email Account Compromise Incidents Up in 2022

FBI IC3 Report for 2022 Shows Worrying Trends

Each spring the FBI’s Internet Crime Complaint Center (“IC3”) publishes a report of the trends in the world of online crime. Past reports provided a good sense of how online criminals, scam artists, and fraudsters leverage technology to further their goals and deprive unsuspecting victims of their monetary, personal data, and other assets. While the common threats of phishing, extortion, and data breach incidents remain constant, the more depressing news in the 2022 report is the rise in fraud and scams via compromised email accounts.


In prior years, email account compromise (“EAC”) and its close relative, business email compromise (“BEC”) steadily grew in incidents and losses; 2022 continues this trend with more than 21,000 reported cases with a total of $2.7b in losses, up 9% from 2021. For those unfamiliar with these crimes, EAC is where one’s email account is hacked, and unknown to the account holder, used to perpetuate fraudulent transactions on others; BEC is similar but affects an email by key individuals in a business. The commonality between the two variations involves the transfer of funds.


As an example of how this typically happens, say someone is about to purchase a home and needs to transfer the down payment to the escrow holder. The escrow holder’s business email account is hacked before the transaction occurs, and alternative instructions are then sent to the home buyers. The instructions typically diverge from the original instructions by informing the buyer that due to threshold limits or for other reasons, there is a new bank account to transmit the money. As it’s from the same email used in prior communications, the buyer usually suspects nothing, and with the excitement of the new home purchase, submits the wire transfer to the new, fraudulent bank account. A few days pass when the seller informs the buyer it never received the payment, and by then the bank cleared most if not all of the payment. Despite the warning signs of a new bank account outside the original agreement, this type of activity frequently occurs.


Despite this increasing use of BEC or EAC to commit fraud, the legal system lags in addressing it. In many instances, the victim who erroneously transmitted the funds to the wrong account because of another’s fraudulent actions, still remains responsible for the funds to fulfill their contractual obligations. Using the “best position” principle, which views the party in the best position to spot and prevent the fraud is ultimately responsible for the loss. Even under the broader imposter rule, which affirms that an imposter’s endorsement of a negotiable instrument (i.e., check) is NOT a forgery and effective as the drawer was induced to issue the check by an impersonator of the payee. ( Title Ins. Co. v. Comerica Bank – California , 27 Cal. App. 4th 800 (Cal. App. 6th Dist. 1994)). From 2012 to 2021 as the cases of EAC/BEC grew, a smattering of lower courts tried applying this rule to cases involving EAC/BEC. ( Beau Townsend Ford Lincoln, Inc. v. Don Hinds Ford, Inc. , 759 F. App’x 348, 359 (6th Cir. 2018)); ( Jetcrete N. Am. LP v. Austin Truck & Equip., Ltd ., 484 F. Supp. 3d 915, 919 (D. Nev. 2020)) It was not until late 2021 when the court declared that the imposter rule only applied to ‘securities and negotiable instruments” and not emails, where the deception frequently occurs in BEC/EAC, and that the other courts had engaged in “creating new law” and took a very hard view on those who were deceived, stating that the affected parties needed to exercise vigilance when sending a wire transfer. ( Peeples v. Carolina Container, LLC, No. 4:19-cv-21-MLB, 2021 U.S. Dist. LEXIS 176076 (N.D. Ga. Sep. 16, 2021)) While the court correctly applied the black letter of the law, it failed to address the EAC/BEC problem. A short time later in 2021, the Supreme Court held that Section 13(b) of the Federal Trade Commission Act, which helps the FTC secure relief for victims of scams, could not be used by the agency to obtain restitution for scam victims, finding in favor of AMG Capital’s Scott Tucker who scammed $1.3b in a deceptive pay day lending scheme. ( AMG Capital Mgmt., LLC v. FTC , 141 S. Ct. 1341, 209 L.Ed.2d 361 (2021)). As a result, the FTC’s ability to obtain monetary relief under 13(b) became very restricted, leaving EAC/BEC victims little recourse.


There is hope however. In September 2022, the FTC announced that it would hold an informal hearing on its proposed rule to codify impersonation scams, including via email, as violations of the FTC Act and allow the FTC to recover money from, or seek civil penalties against, scammers who harm consumers in violation of the rule. Scheduled for May 4, 2023, this hearing will hopefully be the first step in establishing a legal framework to effectively address the growing problem of EAC/BEC fraud. Otherwise, we may continue to see the same, sad trends in next year’s IC3 report.


In the meantime, here are some simple steps to take to help avoid being a victim of EAC/BEC fraud:


  • Only disclose your email address discriminately and to only those who need it.
  • Use non-email media, such as text or phone, to authenticate the sender.
  • Configure your mailing application to show full display of email extensions.
  • Check sender’s email address against claimed organization name.
  • Examine the sender’s email address before sending any funds or information.
  • Use two-factor authentication (“2FA”) whenever possible to avoid unauthorized access to your accounts.
  • Never provide sensitive information such as login credentials or PII in response to emails.
  • Leverage credit monitoring and review financial accounts for anomalies.
  • Deploy spam filters, anti-malwares and anti-phishing tools on all devices.
  • Be suspicious of businesses or senders using free email services such as yahoo mail, Gmail, Hotmail etc.
  • Apply the latest patches to software as directed and in a timely manner.


Facebook
LinkedIn

Our Blog​

Related News and Articles