That Urgent Email From Your Boss Could Be a Dangerous Fake

(Bloomberg Businessweek) -- If you work for a company that does business around the world, there’s a growing kind of fraud to watch out for: “business email compromise.” Among the victims in recent years are Ferrari NV and Arrow Electronics Inc., which lost millions of dollars after employees were tricked into wiring money to Hong Kong bank accounts.

The scam works like this: An employee in a remote office of a company will receive an email that purports to be from a senior executive or some other person of authority such as a lawyer. The email may be spoofed to look at quick glance like it’s from the boss, with one or two letters incorrect in the address, or it might actually be a hacked account. The email says the employee has been chosen for a special task, demanding secrecy and urgency—and typically requests the immediate transfer of funds to a Hong Kong-based account to make a purchase or to pay an invoice. Once the money is transferred, it’s quickly sent to multiple other accounts, disappearing into mazes of money networks that extend into China and elsewhere.

Global losses have exceeded $12 billion from 78,000 companies in 150 countries since 2013, according to the Federal Bureau of Investigation, which named Hong Kong and Chinese bank accounts as the primary destinations for this type of fraud for the past several years. Such scams increased 136 percent by value in the 18 months through May of this year, following a 1,300 percent increase in the previous period in 2015-16, the FBI says.

“It’s a growing trend, because it’s a more targeted and efficient way for fraudsters to monetize cybercrime,” says Amie Chang, head of the Hong Kong office of investigation company Nardello & Co. “Because Hong Kong is such a major trade and financial hub, it’s easy to obfuscate illegitimate transactions among legitimate ones.” And in a globalized economy, it’s easy for employees to believe their company needs funds urgently transferred to Hong Kong.

“It’s invidious,” says Jeff Lane, a partner at law firm Tanner De Witt, who’s the Hong Kong representative of FraudNet, the case referral network of the International Chamber of Commerce. Lane’s firm last year handled 57 cases, but this year it had already fielded that many by September.

He puts the general recovery rate, if companies act quickly to freeze funds, at less than 50 percent. Law firms have to first identify all the accounts receiving the money as it was divided up and transferred, and then apply to freeze each account—if there’s any money still in it. Then lawyers have to seek a summary judgment to get the money returned, a process that can take years if contested. “Crime obviously does pay if you’re only getting half of the money back,” Lane says.

In the biggest case reported this year, a large Spanish mechanical parts manufacturer was defrauded of €11 million ($12.4 million) that was quickly disbursed into multiple bank accounts in Hong Kong. Police, who did not name the company, said they were able to return $7.7 million.

Last year, Ferrari’s North American unit was defrauded of $6.7 million when “an unknown person (or persons) impersonating the chief executive officer of the plaintiff’s parent company, Ferrari SpA” induced a senior executive to authorize payment in three installments to a Hong Kong bank account “as part of a bogus transaction to buy shares in a listed company on behalf of the plaintiff’s parent company,” according to an action seeking to recover funds in Hong Kong’s High Court. (Court documents were later amended: The chief financial officer, not the CEO, was impersonated.)

The money first was wired to the account of a Hong Kong company that trades timber used in wood flooring. Then some went to a frozen foods concern before hopping to other account holders including a frozen meat parts trader and several import-export companies. In July the court issued a summary judgment against an import-export company that had received $3.3 million in Ferrari cash from the wood flooring company, saying that it or two other companies it had transferred the funds to must return the money because they never had any dealings with the carmaker to justify such payments. The next hearing in the case is scheduled for December. So far, lawyers have been able to recover $2.2 million of Ferrari’s funds, according to a person familiar with the case, after recipients didn’t claim that the funds were rightfully theirs. Ferrari declined to comment on the case.

Arrow, an electronics company in Centennial, Colo., was hit for $23.4 million when an employee at a subsidiary in Norway was “induced by person(s) impersonating himself/themselves, over the telephone or in email as the CEO of Arrow Electronics or a lawyer with a Wisconsin law firm” to transfer the amount in nine installments over five days in 2016, according to a case in Hong Kong’s High Court. The company discovered the fraud four days later and ordered its Norwegian bank to recall the funds. The bank could recover only $5.97 million. The remaining $17.4 million had already been transferred to six HSBC bank accounts in Hong Kong, whose holders then transferred the funds again, the court documents said. HSBC Holdings Plc declined to comment on individual legal matters.

The High Court petition seeking to get the funds back from 26 accounts doesn’t claim their owners were engaged in fraud, only that they received the money and should return it. One recipient, a money-changing company, argued that it had conducted legitimate conversion of the money into Chinese yuan, which was then transferred to China. The court ordered in a summary judgment in May that $4 million be returned from various accounts. Arrow is continuing to seek additional recovery of funds in court. The U.S. company, which upon discovery of the fraud reported it in a filing to the U.S. Securities and Exchange Commission, declined to comment on the cases.

The Hong Kong police have so far declined to file charges against recipients of the funds, many of whom claim they don’t know why they received the money. The Hong Kong police force “continues to set out ‘combating technology crime and maintaining cybersecurity’ as one of the operational priorities,” a spokesman said in a statement. Police handled 1,382 cases of all types of cyberfraud totaling $488 million in the year through July and helped recover $80 million in 321 cases, the statement said.

“As far as we know, no one is ever being arrested for this,” says Susan Kendall, a partner at Baker McKenzie in Hong Kong, whose office has handled more than 100 business email compromise cases in the past three years. There have been arrests beyond Hong Kong: The FBI announced in June a coordinated international law enforcement operation that arrested 74 people for business email compromise fraud, including people in the U.S., Nigeria, Canada, Mauritius, and Poland. The Hong Kong office of the U.S. Department of Justice declined to discuss the issue. Kendall says cases are coming into her firm at a rate of four per month. “We’re still seeing Fortune 500 companies falling victim to this,” she says. —With Tommaso Ebhardt

To contact the editor responsible for this story: Pat Regnier at pregnier3@bloomberg.net, Eric Gelman

©2018 Bloomberg L.P.