By Keith A. Gauer

How Email Compromise Fraud Schemes Work

Criminals continue to target financial institutions and their customers with email compromise fraud schemes.  Email compromise fraud occurs when a criminal uses a victim’s email account to impersonate the victim and to request a fraudulent wire transfer in an attempt to steal funds.  Victims can include individuals and businesses, both large and small, and the bank accounts can be located at large national banks or single branch community banks in rural South Dakota.  These fraudulent transactions generally cannot be revoked, leaving financial institutions and customers unable to cancel payments or recall funds.  Accordingly, the best defense for financial institutions is to identify these schemes before the funds leave the bank.

Typically, email compromise fraud schemes involve three steps.  First, the criminal compromises the victim’s email account.  Through the compromised email account, the criminal obtains information about the victim’s financial institutions, account details, and other related information.  Next, the criminal uses the email account to send fraudulent wire transfer instructions to the victim’s financial institution.  Criminals may also create a fake email account similar to the victim’s to relay instructions.  Lastly, the financial institution unwittingly complies with the seemingly legitimate request and wires the customer’s money to a criminal’s foreign or domestic bank account.

Criminals have become incredibly skilled at wording their requests specific to their victims.  According to some complaints, transfer requests have coincided with victims’ travel dates or were of similar dollar amounts to legitimate business transactions.  These similarities cause the requests to appear legitimate.  Although there is no guaranteed way to identify fraudulent transactions, there are some red flags banks and financial institutions should be prepared to spot.

  • Emails received from an address that is slightly different than an existing customer’s email address. Criminals often choose to create a fake email account by changing, deleting, or adding one or more characters.  For example, a criminal may replicate [email protected] as [email protected] or [email protected].
  • Instructions altering previously verified transaction language, timing, or amounts.
  • Requests that are identified as “urgent,” “confidential,” or “secret” (with a request that the bank not contact others in the company).
  • Unusual transfers to foreign bank accounts.
  • Instructions to transfer to an existing beneficiary at a new or different account.
  • Requests to transfer to a new beneficiary, who has no documented business relationship or payment history with client.
  • Additional payment requests received immediately after a successful payment to a new account.

Common Practices to Identify and Stop Transfers

Some banks and financial institutions have chosen to implement certain practices in an attempt to identify fraudulent requests and stop the transfer before it is made.  A few of these practices include:

  • Asking employees to use the “forward” button when responding to emails instead of the “reply” button, ensuring the correct email address receives the response by either typing it into the “to” field or selecting it from the banker’s own address book.
  • Implementing a two-step verification process such as following up on email funds transfer requests via telephone or verifying requests with a separate customer representative. It is important to follow up using only pre-existing trusted contact information.  Individuals should never be contacted using the contact information provided in the email along with the request.
  • Holding requests for international wire transfers for a set length of time that is sufficient to verify the legitimacy of the request.
  • Monitoring for sudden changes in customer business practices.
  • Creating email intrusion detection system rules to flag emails with extensions that are similar to customer emails.

It is important that victims of email compromise fraud schemes and financial institutions report unauthorized wire transfers immediately.  Unauthorized transfers reported within 24 hours have the best chance at being recovered.  In the event of a fraudulent transfer, FinCEN directs victims and financial institutions to contact law enforcement, their local FBI office, the Internet Crime Complaint Center at, and the nearest USSS field office at  Financial institutions may also consider contacting the financial institution where the fraudulent transfer was sent.  Financial institutions should also comply with all Suspicious Activity Reporting requirements.

Davenport, Evans, Hurwitz & Smith, LLP, located in Sioux Falls, South Dakota, is one of the state’s largest law firms. The firm’s attorneys provide business and litigation counsel to individuals and corporate clients in a variety of practice areas. For more information about Davenport Evans, visit