The Other Unseen Enemy

Targeted email fraud known as spear phishing is costing businesses, including those in the biodiesel sector, billions of dollars. Learn what to watch for, and how to avoid falling victim to these scams.
By Ron Kotrba | April 02, 2020

As the novel coronavirus pandemic pushes the global healthcare system to the brink and temporarily grinds the world’s economies to a halt, another scourge affecting biodiesel-related businesses big and small has been around for years. This unseen enemy comes in many forms and goes by many names—spear phishing and CEO fraud being two of the more common ones—but in the end, they are all email and wire fraud that ultimately result in loss of revenue and trust.

“In the simplest terms, phishing is a fraudulent attempt to obtain information—financial, personal, usernames and passwords—through which the perpetrator is passing themselves off as a trustworthy entity that you’re familiar with,” says Scott Tremain, IT director for the National Biodiesel Board. “Phishing attempts are sent to large numbers of users simultaneously, like spam. It’s like casting a net in the ocean.”

Spear phishing, on the other hand, is just like the name suggests—it is a much more targeted phishing attempt. “The scammer has studied or gathered information about the victim online,” Tremain says. “Because of that, the scammer’s email includes personalization to trick the victim into falling for the scam.” The goal of spear phishers is to trick the target into remitting payment to their bank accounts.

Everything a scammer typically needs to pull off a successful spear phishing attempt can be found on the victim’s corporate website for everyone to see: company staff members and executive leadership, logos and letterheads, email addresses, clients, news and more. To make matters worse, businesses and individual staff members within those companies often have social media accounts that detail personal information including children’s names, travel plans, likes and dislikes, and much more.

Outside of the content of a spear phishing email, which can include personal information, letterheads, a writing style and email signature that may lend credence to its legitimacy, one important detail the receiver sees right away is the name of the sender. “You can make the name anything you want,” Tremain says. “That’s easy to do.” Another important detail is the email address. Tremain says some scammers use email addresses that are similar to, but not exactly the address of the person they are impersonating. “The scammer is counting on, or hoping the victim won’t notice the email address is a little off,” he says. Maybe there is an underscore instead of a dot, or the name portion, the front half, of the email address is the same but the domain name, the back half, is one of the many free email services available instead of the company domain name. “To make matters worse,” Tremain says, “some email clients don’t show the sender’s address, so all you see is the sender’s name, which, again, can be anything you want.”

If employing an exact username and a similar email address is spear phishing 101, then Tremain says spear phishing 201 involves spoofing the email address so it looks precisely like the address of the person being imitated. “Spoofing the email gets trickier, but spammers have long been able to do that,” he says. This is similar to how callers spoof telephone numbers to make it appear as if the call is coming from a local number with the same area and city codes. Tremain says although the incoming email address may look identical to the person’s email address the spear phisher is imitating, the “reply to” email address will be different. “They’ll put their email address—or an email address they’ve created that is similar to the address they’re impersonating—in the ‘reply to’ field,” he says. This way, the email seems as if it’s coming in from a trusted person but the sensitive bank account or financial information in the reply message is routed to the scammer.

A more specific type of spear phishing is called CEO fraud. “This is even more diabolical because the scammer will make their email look like it comes from the company CEO,” Tremain says. Under the guise of the company CEO, the spear phisher, who again has done their homework, will send an email to the chief financial officer (CFO), the human resources or accounting departments asking them to wire funds. “As strange as it sounds, it’s easier to ask for the bank account information or for money to be wired than to hack into the company system or network,” Tremain says. “They just send an email and, surprisingly, companies fall for it. The FBI has statistics, and in 2015 alone there were 7,800 complaints and $246 million lost to CEO fraud. Since 2016, this has cost companies $26 billion. It’s working. People are being victimized.”

Industry Attacks
Paul Dickerson, president of Third Coast Commodities, a physical commodities merchandiser buying and selling fats, oils and greases in the biodiesel sector, says his company first became aware of spear phishing in 2014 when TCC got an email from a vendor stating that their bank information had changed. “It came in writing from a known email address,” Dickerson says. “A few days later, we got another email from the same address asking for payment.” Since the “bill” was already “paid,” TCC advised the vendor that payment was already remitted. “The receiver said, ‘We never got it, and we never changed our bank account information.’ We showed them the email, and that started the process. We went to the FBI, and they said unless it’s more than $50,000 in fraud, they wouldn’t chase after it.”

This was six years ago, and the situation has only gotten worse since then, particularly recently, Dickerson says. “We know and are now aware of dozens of similar cases of email or wire fraud like this in our industry,” he says. “It’s been particularly rampant in the past 90 days.” Dickerson rattles off a long list of well-known companies in this sector, from biodiesel producers and large rendering companies to lesser-known mom-and-pop outfits. When asked how he learned of all these companies falling victim to spear phishing, Dickerson says, “This is what we do for a living—we trade information and we’re at the nexus of a network of people who talk every day. Our industry wires millions of dollars daily, buying and selling RINs, transportation freight and feedstock. All it takes is the wrong person getting an email asking to change my bank information and there go tens of thousands of dollars.”

An ex-employee of a large rendering company who asked to remain anonymous tells Biodiesel Magazine of a similar situation that bilked his old firm of tens of thousands of dollars. “We had a customer pay an invoice after receiving an email from a trader within [our company] that our remittance information had changed,” the source says. “There was a PDF document attached to the email and they clicked on it, and it looked like our company letterhead. But instead of confirming this by reaching out and verifying whether this account information had in fact changed, there were no questions asked. The truckload of feedstock went to [the biodiesel producer] and they paid the new account. Then, a week later when we inquired on where they were with the payment, they told us that our account information had changed, and they paid it. This threw a bunch of red flags up and [the rendering company] got the FBI involved. Within something like 15 minutes of receiving the ACH (automated clearing house) payment, it was transferred and went through like 12 different accounts and was gone. Luckily this only happened with one truckload, but after that, the company cracked down.”

The NBB isn’t immune to this either, but thankfully, as the organization’s IT director, Tremain knows what to watch for. “We still get these,” he says. “I remember the first one we got maybe five or six years ago. Our CEO at the time was Joe Jobe, and he was traveling overseas. Our CFO received an email, which appeared to be from our CEO asking us to wire him $28,000. Immediately our CFO recognized that this isn’t something Joe would do.”

Tremain says he would not recommend doing this, but he wanted to see where responding to the email would lead. “When I hit reply, the email address in the ‘reply to’ field was something like ‘joejobe@gmail.com’ so I said, ‘Okay, let’s see what we can do here to reel them in a little,’” Tremain says. “After the CFO responded asking how to proceed with wiring the money to ‘Joe,’ we quickly got another email in which the scammer gave us their bank and account information. At that point, we stopped all communication and I contacted the bank, which is in New York City. Not surprisingly, this was not the first time the bank’s fraud department had taken a report on that account. After that, we never heard any more about it.”

NBB’s accounting office still gets this type of email from time to time, Tremain says. “When our CEO changed, so did those emails,” he says. “They are pulling this information from our website, which seems easy. It’s uncanny though how that email from ‘Joe’ said he was out of the country when, in fact, he was. I don’t know if the scammer knew this, or if it was just a lucky coincidence. It’s not farfetched to think that they did their research and knew he was traveling at a conference overseas. I can see them doing that—they want to make it as believable as they can.” 

When asked what can be done about prosecuting these fraudsters or recouping any lost money, Tremain says, “Nothing. I don’t think there is anything that can be done. When we got that one and we followed up, they sent us the bank information and account number. After notifying the bank and hearing nothing further from them, we reported it to the attorney general and the Federal Trade Commission, but the trail went cold after long. Whether they can trace the bank information back to an individual, I don’t know, but there are ways to obfuscate and hide behind these things.” 

Insurance won’t cover this type of loss either, Dickerson says. “If money is taken from your account, that’s one thing,” he says. “But if one willingly changes bank information without following up, then that’s when you’re out the cash.”

Dickerson says according to the FBI, this type of activity is strong in eastern Europe and southeast Asia. “It’s simple math,” he says. “There’s 3 billion people on planet earth who make less than $1,000 a year. They have the opportunity to go to work in a [shoe] factory earning $2 an hour, or they can pull off a scam like this and rake in tens of thousands of dollars—far more than they could ever make in a factory.” Anthony Pellegrino, a senior trader with TCC, says these fraudsters are monitoring their emails 24 hours a day. “As soon as they get a hit, they pull the money out and wire it to Asia or wherever,” he says.

With the novel coronavirus outbreak, concerns are mounting about email-related wire fraud ramping up. “Our biggest concern is what’s happening in the global economy right now,” Dickerson says. “There may be another 500 million people out of work, sitting around looking for money.” Tremain says scammers aren’t going to self-quarantine or take a break during the pandemic. “They typically come out of the woodwork after a disaster and prey on people’s generosity,” he says. “And that will be the case here too.”

Protective Measures
Technology only goes so far in protecting  people from these scams, so it ultimately comes down to knowing what to look for and taking extra precautions before transmitting sensitive bank account information over email or remitting payment to someone asking via email to send funds to an unfamiliar or new account. “Spam filters and malware can only do so much to keep phishing emails from reaching your inbox,” Tremain says. “We see a lot of attempts that get filtered and stopped before reaching the inbox. There are products that, on the server level, scan emails for things.

They’ve got algorithms to detect things. There are a lot of checks and balances sophisticated servers will use when emails come in. Like, if an email address doesn’t match the mail server it’s coming from, it’ll raise a red flag. But these scammers are always one step ahead to outsmart these filters. Just like with Covid-19, it’s your and my and everyone’s responsibility to do the right thing from a hygiene perspective to prevent the spread. It’s the same for businesses and email fraud. They have to educate themselves to be aware of what’s out there and how these fraud attempts are built and fashioned to trick people into responding, wiring money or bank information. Businesses must let their customers or clients know that they’ll never ask for this information over email. No real business will email you for your username and password. I hate to say, but so much of this is common sense. If you get an email like this, you need to ask yourself whether you know them. If you don’t, it’s a scam. If you do, then run it by your IT department or call the person who emailed you, or if you have their real email, send them a fresh email and ask them.”

Dickerson says TCC has an internal policy never to change anyone’s bank information until it’s been verified through a phone call or other means. “I am shocked how many people didn’t have that kind of policy,” he says. “In January, people started receiving emails on our letterhead, which several of our customers got and changed bank account information. We thought we had made everyone aware, but you have to be repetitive—over and over. Don’t change anyone’s bank information without talking to a voice you’re familiar with. If the whole industry adopted that technique, these fraudsters would be shut down tomorrow. It’s that simple. Do not change people’s bank information without approval or talking with them in person.”

Other protection measures TCC employs includes a two-factor authentication for company smart phones, application securities, Microsoft authenticators for all system logins and more. “Also, our bank has external key fobs, so there’s a password and remote fob key and a random number generator so you have to be in possession of that, and a username and password, so if they detect an [unfamiliar] computer there’s a third-party text to phone.”

After the large rendering company was taken for thousands of dollars, the source says the firm sent out a companywide letter from the legal department, broadcasting that if employees receive any kind of email request changing bank information, it must be verbally approved and confirmed. “The company did its best to mitigate any further occurrences by telling customers, ‘We never change our bank or account, as we’ve been with the same bank for 20 years, so if you see anything like this, please call first. If you need to call a trader, then call them, but never change our remittance information.’”

The source says other attempts came through and they were red-flagged and caught. “We also received scam emails from what looked to be our vendors,” the source says. “After all this happened, the IT security team developed an in-house phishing program where we all had to go through a one-hour training course. Then they would test us by sending us emails that would look real but when you’d hover the mouse over the address line, you’d see it was fake, stuff like that.”

Writing styles can be spoofed too. “If it comes in writing through an email, they can spoof anyone’s writing to where you can’t tell it’s fake,” Dickerson says. “But if you know my voice, my phone number, and a second party in my company, it’s as simple as that.” Tremain reiterates that common sense is critical. “Look at emails closely,” he says. “Look for broken English, or their writing style or lack of an email signature. Look at the email address or the address in the ‘reply to’ field. Be skeptical and really scrutinize these.” He adds that people must also continue to be careful about what links they click on in their emails. If one is unsure whether the email is legitimate, open a web browser and access the site directly, he says. “We’ve got to start being more cautious when dealing with emails,” he says. “People hear this a million times, but the problem continues.”

In the end, this type of fraud can destroy relationships and cost businesses a lot of money. “Stay diligent,” the rendering company ex-employee says. “Don’t take anything for granted.” Keeping open lines of communication is critical between companies and customers or vendors, and internally between executives, the IT department and employees. “The biggest thing is awareness,” Dickerson says. “Talk about it. Call us. Stop the problem from happening. We’ve been able to alert multiple companies that they are under attack. Tell them we’re not changing this until we talk. If every company did that—made that phone call—this would all be over tomorrow.” 

--------------------------------------------------------------------------------------------------------------------

Checklist to Help Avoid Falling Victim to Email Wire Fraud

1. Never change remittance or provide bank account information, usernames or passwords solicited via email without verification through other means (phone call, in writing, in person, a fresh email to known contacts, etc.).

2. Develop an internal policy on emails soliciting financial information or bank account changes, and notify customers of this policy.

3. Develop a rigorous internal training program to make personnel aware of these scams, what to watch for, and test employees afterwards.
4. Collaborate with customers on education, training, corporate policy and protocols.

5. Scrutinize emails, particularly those seeking sensitive information.
a. Look closely at the sender’s name and incoming email address, and even more importantly the email address in the “reply to” field.
b. Watch for broken English, misspellings or inconsistencies in language and writing style.
c.  Look at signatures and scrutinize for inconsistencies.
 
6. Be aware of information posted to the company website and know this may be used by spear phishers.

7. Be cognizant of information posted on social media accounts including travel plans, children’s names and other personal information.

8. When in doubt, run any suspect emails by the IT department.

9. Be wary of clicking on links.

10. Stay diligent.

------------------------------------------------------------------------------------------------------------------

Author: Ron Kotrba
Editor in Chief, Biodiesel Magazine
218-745-8347
rkotrba@bbiinternational.com

 
 
Array ( [REDIRECT_REDIRECT_STATUS] => 200 [REDIRECT_STATUS] => 200 [HTTP_USER_AGENT] => CCBot/2.0 (https://commoncrawl.org/faq/) [HTTP_ACCEPT] => text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 [HTTP_ACCEPT_LANGUAGE] => en-US,en;q=0.5 [HTTP_ACCEPT_ENCODING] => br,gzip [HTTP_HOST] => www.biodieselmagazine.com [HTTP_CONNECTION] => Keep-Alive [PATH] => /sbin:/usr/sbin:/bin:/usr/bin [SERVER_SIGNATURE] =>
Apache/2.2.15 (CentOS) Server at www.biodieselmagazine.com Port 80
[SERVER_SOFTWARE] => Apache/2.2.15 (CentOS) [SERVER_NAME] => www.biodieselmagazine.com [SERVER_ADDR] => 10.0.0.4 [SERVER_PORT] => 80 [REMOTE_ADDR] => 18.208.132.33 [DOCUMENT_ROOT] => /datadrive/websites/biodieselmagazine.com [SERVER_ADMIN] => webmaster@dummy-host.example.com [SCRIPT_FILENAME] => /datadrive/websites/biodieselmagazine.com/app/webroot/index.php [REMOTE_PORT] => 48650 [REDIRECT_QUERY_STRING] => url=articles/2516959/the-other-unseen-enemy [REDIRECT_URL] => /app/webroot/articles/2516959/the-other-unseen-enemy [GATEWAY_INTERFACE] => CGI/1.1 [SERVER_PROTOCOL] => HTTP/1.1 [REQUEST_METHOD] => GET [QUERY_STRING] => url=articles/2516959/the-other-unseen-enemy [REQUEST_URI] => /articles/2516959/the-other-unseen-enemy [SCRIPT_NAME] => /app/webroot/index.php [PHP_SELF] => /app/webroot/index.php [REQUEST_TIME_FLOAT] => 1590809464.082 [REQUEST_TIME] => 1590809464 )