Business Email Compromise (BEC) Fraud is under DOJ’s Microscope
Summary of Post
Business email compromise (BEC) fraud is a common scam that involves intercepting email communications, posing as a vendor for an established company, and syphoning millions of dollars to nominee bank accounts. The scheme normally involves an organizer at the top and numerous lower level conspirators who set up bank accounts, facilitate money transfers, and/or hack email accounts. The government is hyper focused on prosecuting BEC fraud and remains active in enforcing the wire fraud statute against this scheme. Their ability to convict the actors often depends on the evidence to support their knowledge of the scheme’s operations when the actions were conducted.
Business Email Compromise Fraud
Over the last several years, we have seen a steady rise in white-collar fraud prosecutions. This includes an uptick in criminal tax, healthcare fraud, and other complex fraud schemes. A complex fraud scheme that has garnered increased attention from the federal government is business email compromise (BEC) fraud. BEC fraud begins with compromising official email communications with a major business and ends with siphoning millions of dollars from business accounts. While the inner workings of each scheme can differ, the nuts and bolts of BEC fraud are well known to federal prosecutors. This blog will outline these core components of this fraudulent scheme and provide some insight into potential defenses. At the end, we will lay out some of the largest BEC fraud prosecutions in the country.
BEC fraud is appropriately named as intercepting email communications serves as the starting point for the scheme. The scheme involves bad actors intercepting email communications from a business. These interceptions will reveal common vendor names and other contractors that engage with the hacked business account. Armed with this information, the actor will create an email address that is similar to the vendor or contractor. This new email address will send communications to the business posing as the known vendor. This email will normally provide updated banking information to use on all future payments for work performed.
If the target business believes the email is valid, the accounting department will update the payment information for the vendor in their system. Future invoice payments are sent to the new bank accounts. This process can go on for many months before the real vendor notifies the business of non-payment. By that time, the payments have passed through the nominee bank account into an account outside the reach of the U.S. government or liquidated into cash. The business is unlikely to recover their money by the time they become aware of the issue.
An example will likely assist in understanding the scheme. Let’s assume we have a general contractor that builds high rises in downtown Houston. The general contractor subcontracts particular sections of the build to subcontractors. These subcontractors include foundation companies, engineers, drywall experts, electricians, and other specialists. It is the normal practice for general contractors to use the same firms or experts for multiple builds.
To execute a BEC fraud against the general contractor, the actor would intercept emails between the companies to determine the flow of money. With his knowledge, the actor can create an email address posing as a subcontractor on specific jobs. The actor would then email the general contractor providing updated bank account information to send payments for work performed. If the general contractor’s accounting department believes the email communication, and updates their accounting records, the fraud is complete. All future payments will be sent to a nominee bank account that is entirely disconnected from the subcontracting vendor. The harm caused by the fraud will be determined by the number of payments and amount of time that passes before the error is uncovered.
Financial Harm in Business Email Compromise Fraud
BEC fraud can target small businesses or larger corporations. This scheme can result in losses of a few thousand dollars, or in some cases, millions over a few weeks. The cases that we see prosecuted federally involve fraud that exceeds one million dollars. In line with customary practice, the federal government avoids wasting resources on smaller fraud schemes, leaving the state district attorney’s offices to handle schemes with lower monetary value.
Common Participants in Business Email Compromise Fraud
These schemes normally involve two key levels of actors. The top level includes people that put together and orchestrate the fraud. These people are involved in intercepting email communications, providing fraudulent banking information to the target business, moving money out of the nominee bank accounts, and profiting from the venture.
As with most schemes, the organizer of the scheme will need to take steps to obfuscate his involvement. The top-level actors rarely tie their name to the transactions or otherwise expose themselves through banking or email documents. They need marks or co-conspirators to serve as insulation at each level.
The first level of insulation occurs at the hacking level. The organizers will generally not use their own IP address or email accounts to interact with the target business. This communication is handled by third parties with overseas accounts. The email communications, email address ownership, and the drafting of false documents will be handled by a non-organizer in nearly all cases.
The second level of insulation occurs at the banking level. The organizer needs someone to open bank accounts that can be used as conduits for fraud proceeds. These accounts need to reside at major banks within the United States to avoid any red flags at the target business. Organizers often use young, naïve members of the community to provide insulation at this level. Their participation is often based on a lie.
Liability for the Organizer of a Business Email Compromise Fraud
The government will likely have a difficult time proving a case against the organizer on documents or technology alone. The organizer of the scheme will spend considerable time ensuring the paper trail and IP markers provide no link to them personally. While mistakes are made during the obfuscation, most organizers do a decent job of masking their participation.
The organizer is often brought down through witness testimony. The parties who are not insulated will be easy to locate for government agents. Their IP addresses are tied to certain communications and/or their names will be tied to bank accounts used in the scheme. The first investigative step will invariably involve the government reaching out to the exposed prongs in the scheme to obtain more information.
In the federal system, the government provides numerous incentives for people to cooperate during an ongoing investigation. These incentives include agreements to not charge the cooperator, charge bargaining (agreeing to a lesser offense than the evidence supports), and/or agreements to lower the cooperator’s sentence if they help in the prosecution of others. These incentives create an environment for witnesses to come forward. In these cases, their participation is often crucial to peeling back the onion and locating the organizers at the top of the food chain.
Defenses for an Organizer of a Business Email Compromise Fraud
BEC fraud is normally charged under the wire fraud statute as a substantive violation or a conspiracy. Under either route, the government must prove the organizer had the specific intent to commit fraud. More pointedly, they must prove the actor knew the information being supplied was false and chose to engage in the behavior for financial gain.
If the government can show the organizer met with the email hackers, facilitated the creation of bank accounts, and benefitted from the transferred money, their case will be solid. These cases will be built on the backs of witnesses that can fill in the narrative surrounding the documents.
The defenses mimic those found in other areas of white-collar litigation. These cases are fought and won on the mens rea element(s). Once indicted, it is unlikely the government cannot prove that some action was taken by the defendant. They will have witness testimony and some documentation to corroborate the narrative. The defense will come down to challenging the defendant’s knowledge of the illegal scheme and false representations, and the benefits derived from the behavior. In white collar fraud cases, the defense is nearly always tied to the willfulness, specific intent, and knowledge elements.
Liability and Defenses for the Bank Account Creators in a Business Email Compromise Fraud
A criminal target that created bank accounts involved in a BEC fraud will not be difficult to locate. Their identification and social security numbers will be tied to a bank account involved in transferring fraud proceeds. In addition, their participation in the fraud scheme will be easy to show; the defendant voluntarily opened an account and the account’s sole purpose was to facilitate fraud.
In line with the organizers, defenses for the account creators will be tied to the government’s ability to show the defendant had the specific intent to engage in a fraudulent scheme. This defense relies on the narrative surrounding their involvement in the operation. Often, organizers will not tell the bank account creators the real reason behind creating the bank accounts. They will often come up with some story on why the account should be created. This story is often sold alongside a business engagement between the parties.
Many account creators start the “criminal conduct” without the proper knowledge to prove liability under the wire fraud statute. If a defendant does not know of the illegal purpose for his conduct, he has committed no criminal offense. However, this starting point begins to erode as the transactions multiply and strange requests continue to pile up. For example, let’s assume an organizer convinced Defendant X to open an account. The organizer advised Defendant X that the account was needed if he wanted to participate in his crypto trading group. At the outset, Defendant X has not engaged in any criminal conduct. While he has opened a bank account that will be used in a fraud scheme, he has done so without the requisite knowledge of the scheme’s illegal purpose.
Now, let’s add some facts. Over the course of the next three months, the organizer removes Defendant X’s ability to transact in the account online, millions of dollars pass through the account in a single day, and Defendant X is paid $25,000 per month. These facts change the analysis. It should strike (even a young, naïve person) as strange that the organizer has cut him out of his own account, the account is transacting in millions, and payments are being received for no apparent reason. Defendant X’s ability to argue he lacked the requisite knowledge or intent diminishes with each red flag.
Under these facts, there is a fact issue relating to whether Defendant X knew the bank account was being used for illegal purposes. The government will likely find criminal exposure if he continues to participate after red flags begin to multiply.
The Role of Willful Blindness in Business Email Compromise Fraud
Knowledge and intent provide the foundation for white collar fraud defense. This is true across the spectrum, including criminal tax fraud, healthcare fraud, wire fraud, and bankruptcy fraud. It is true that the government must prove a defendant knew of the criminal scheme and chose to continue in his conduct under all theories of fraud. Often clients struggle with this concept as it seems impossible to show what a particular person knew at the time of a transaction.
The law acknowledges the difficulty is proving what someone actually knew and cures it with the concept of willful blindness. The willful blindness doctrine states that a person cannot intentionally avoid learning the details of a criminal scheme and later use that lack of knowledge as a defense. Put differently, the government can meet the mens rea elements by showing the defendant saw various red flags and deliberately chose to bury his head in the sand to avoid knowledge.
The Supreme Court, and other courts, have leaned into the “piano player in a whore house” metaphor when analyzing this concept. Under the metaphor, a defendant has been employed by a whore house as the piano player. He comes to work each day and never visits the upstairs bedrooms. When his shift is over, he does not interact with the prostitutes or the owners. He collects his paycheck each month.
If indicted for participating in a prostitution operation, the piano player cannot argue that he lacked knowledge of the purpose of the business. The piano player surely saw multiple red flags during his sessions, and if he did not know the nature of the business, it is only because he intentionally chose to avoid that knowledge. If a person is armed with enough information to know a fact is probable, they may not use their intentional avoidance of confirmation as a defense to criminal liability.
One of the more absurd attempts at willful blindness occurred within one of our cases a decade or so back. The defendant was charged for conspiring to traffic cocaine in the Southern District of Texas. Her role was to drive large volumes of cocaine from north Texas down to Houston. Her drops contained similar facts each time – she drove to Dallas, the drug dealers loaded her trunk with burlap bags, she transported the cocaine to Houston, and drug dealers would unload the bags. Post-indictment, the client wanted to argue that she did not knowingly participate in the conspiracy because she never looked inside the burlap bags.
This is a classic case of willful blindness. She was paid large sums of money for the transportations and she was dealing with men she knew to be drug dealers. Under those facts, she knew a fact was probable (if not obviously true), and any lack of knowledge she had derived from her deliberate decision to not confirm the fact.
The doctrine of willful blindness provides a solid foundation for understanding the fine line under BEC fraud. The government does not need to prove the defendant knew the precise details of the fraud to obtain a conviction. It is sufficient to show a jury the defendant knew of many red flags and should have known crime was afoot. As the red flags pile up, the defense becomes harder and harder to sell to a jury.
Largest Business Email Compromise Prosecutions
Over the last five years, there have been some very large BEC fraud schemes. The most compelling are as follows:
- A $5.4 million BEC fraud against a Connecticut corporation (one money transfer)
- $6 million BEC fraud against a Maryland Corporation
- $11.1 million BEC fraud against state Medicaid programs and private insurers
Business Email Compromise Fraud and the Department of Justice
The Department of Justice (DOJ) is a machine with hyper focus. The government knows they have a finite number of resources and they choose specific areas to target their criminal agents. Each presidential term, and new Attorney General, will shift this focus slightly. While DOJ always focuses on some form of white-collar crime, they do not cast a very broad net. DOJ will attack a certain scheme or area of fraud for many years before pivoting elsewhere.
Over the last five years, BEC fraud has been one area that has garnered significant attention by DOJ. The agents understand the scheme and know how to develop these investigations. The investigations result in millions of dollars in fraud which justifies the allocation of significant resources. I would expect BEC fraud to remain a focus of DOJ for the foreseeable future. Or at least until the organizers internalize the risk, and move onto new schemes, or a new Attorney General shifts the focus elsewhere. For now, this remains a hot area for prosecution.