FINAL SCRIPT – FRAUDCAST: BUSINESS EMAIL COMPROMISE SCHEMES JENNIFER: Hello and thank you for tuning into this initial “fraudcast” by the U.S. Environmental Protection Agency Office of Inspector General. Our ongoing podcast series shines a light on EPA OIG work and resources. Inspector General Sean O’Donnell declared 2024 the year of innovative fraud-fighting. In that spirit, we are adding a new dimension to our series. Starting now, we will periodically bring you interviews with OIG senior leaders about scams and schemes affecting the two agencies we oversee, the EPA and the Chemical Safety and Hazard Investigation Board. My name is Jennifer Kaplan and I work in the EPA OIG’s Office of Congressional and Public Affairs. I’m joined by Assistant Inspector General for Investigations Jason Abend. Welcome, Jason. You’re the first guest for an EPA OIG fraudcast. JASON: Thanks for inviting me, Jennifer. I am excited to be joining you to highlight an important issue during our “Year of Fighting Fraud.” JENNIFER: Today’s topic is a fraud alert recently issued by the EPA OIG about an increasingly prevalent type of cybercrime known as a business email compromise. Can you explain what that entails? JASON: Sure. In a business email compromise, criminals are looking to profit by diverting funds from an organization that administers or receives financial transactions. That could be something as large as a government agency like the EPA, something like a local nonprofit that serves a community, or even a small business that is working to service those communities or the government agency. The criminals target employees at those organization by sending them emails mimicking a legitimate request for funds with the ultimate goal of either stealing money or sensitive information, or maybe even doing both. JENNIFER: But why do employees on the receiving end comply with fraudulent requests? JASON: These are highly sophisticated phishing schemes that leverage technology, even artificial intelligence, to deceive the recipients. Messages look realistic. That’s really important to understand. The sender’s address may be nearly identical to a real one with perhaps a slight alteration to it. Such emails will often request a critical and time-sensitive transaction to be done, putting pressure on the recipient. But sometimes scammers bide time building trust and rapport leading up to any request that they make. The emails may even include telephone numbers or a spoof websites staffed by the fraudsters, further adding legitimacy to the dishonest request for funds that they’re making. JENNIFER: I’ll note that we’re talking about “phishing” with a “p-h.” I think that a lot of listeners, unfortunately, can relate to this concept on a personal basis. I’ve received emails that appear to come from a specific friend asking for money or that I make a purchase. The sender’s address is off by one character or it comes from a different provider than my friend’s real address. I’ve also received fake consumer surveys that looked like they were from merchants I’ve patronized. JASON: Exactly. At a glance, the sender’s address and message content may look familiar – may look like something that they’re expecting even to receive. Sometimes, the sender’s address is actually legitimate but from a compromised email account. Scammers know that some recipients won’t fall for their tricks, but others won’t scrutinize the address or notice details that are off in the email that would tip them off. People are busy. It takes time for people to really analyze the email and make sure that it’s safe. And it really only takes one person to click on that fraudulent link or attachment admitting malicious software, or malware, into a computer, phone, or even an entire business network. A business email compromise casts a wide net across an organization to hook a few people and then reel them in and do the damage. JENNIFER: Jason, you mentioned that scammers target organizations. How does the EPA fit into this picture and why is the EPA OIG sounding an alarm on business email compromise fraud? JASON: An organization might be a government agency, such as the EPA, or let’s say your local city hall; a company; a nonprofit; or a service provider – really, any entity that has money flowing in and out of it. Fraudsters pay attention to the news and then they do their research. They learn who has been awarded a contract, who’s won a settlement, who is receiving a grant. And then they seek to capitalize on inadvertent mistakes and deficient controls others have over their funds in order to line their own pockets. They seek to exploit mistakes. At EPA OIG, we’ve been observing and mitigating attempts by organized criminal groups nationwide to target recipients of EPA program funds using business email compromise schemes. We expect it only to become more difficult for organizations, individuals, and law enforcement to both detect and to stop as the deployment of artificial intelligence becomes more widespread and criminal organizations truly adopt the technology in earnest. A few years ago, if you think about it, AI was only accessible to governments, universities, and fortune 500s. Today, almost anyone with a computer can harness with AI through services like Chat GBT and, really, for free. EPA OIG is working with our law enforcement partners on countermeasures to mitigate the impact of criminals using AI. And just as the fraudsters are harnessing such computer power for themselves, so are we here at EPA OIG harnessing the power of AI to blunt their impact and to safeguard EPA programs and operations from them. JENNIFER: On February 7, 2024, the Department of Justice announced arrests in a Maryland statewide operation on federal indictments that allege money laundering conspiracy and fraud schemes involving more than nine-and-a-half million dollars in proceeds. Homeland Security Investigations’ Mid-Atlantic El Dorado Task Force led a multiagency investigation. The EPA OIG was one of the law enforcement agencies involved. Can you talk about that case? JASON: As the investigation is ongoing, Jennifer, I’m actually limited in what I can say. Basically, the EPA is responsible for overseeing the administration of a trust fund established for the purposes of decontaminating and deconstructing a Superfund site. A bad actor working with an organized criminal gang posed as an employee of a legitimate contractor and sent an email to the EPA requesting direct wire transfer payments for services rendered. In response to that fraudulent request, the EPA unknowingly misdirected two-point-seven million dollars from the trust fund to the bad actor. Upon notification, EPA OIG was able to quickly react to the incident and successfully recover part of that stolen money. At the same time, the U.S. Departments of Homeland Security and Defense, as well as the Internal Revenue Service, detected scams being perpetrated by the same network of fraudsters. We worked collectively to stop the network from causing further harm to others, which recently resulted in 10 arrests. JENNIFER: Thank you, Jason. You’ve emphasized that the EPA is one victim in this case of 29 identified so far. I read that the list of victims also includes an environmental trust, an urban redevelopment program, a medical center, a transportation and logistics company, a school district, a college, a county government, and several individuals, among others. JASON: Yes, that’s correct, Jennifer. This fraud network was operating multiple financial schemes, not just the one that we identified at EPA. In fact, law enforcement agencies, working together, untangled a gigantic spider web, which includes 17 co-conspirators that utilized more than 50 bank accounts in the United States and abroad that laundered tens of millions of dollars in stolen funds. I mean this is the kind of case that law enforcement officers get in the business for. By removing this organized fraud group off the map, we’ve made a positive impact in the communities that we are responsible for. This was a great case by law enforcement and one that we should all be proud of. JENNIFER: Thanks. Can you describe some of the other business email compromise scenarios the OIG has investigated involving the EPA? JASON: Sure. I have two recent examples that I can share. The first involves the EPA’s Office of Human Resources that received an email request that appeared to come from an employee asking that that employee’s paycheck be sent via a direct deposit to a new bank account. The HR office complied. But it later turned out that the email request was a scam and not from the identified employee at all. Another instance occurred when the EPA owed a payment to a nonprofit organization. Unbeknownst to both EPA and the nonprofit, fraudsters had hacked into the email account of a director at that nonprofit and then sent an email redirecting the wiring instructions to the fraudster’s bank account. Both of those cases are being handled by EPA OIG and both of them are great examples of classic business email compromise. At the EPA OIG, we’re also hypervigilant to fraud involving contracts and grants. Congress passed the Infrastructure Investment and Jobs Act, appropriating more than 60 billion dollars to the EPA over five years. The EPA is awarding most of these funds as loans, grants, and rebates to state revolving funds and other nonfederal entities for various projects. Similarly, the Inflation Reduction Act appropriated approximately 41 point five billion dollars to the EPA to support new and existing programs, much of it through contracts and grants. Two enormous pots of money, and all of the relationships therein, are at a potentially high risk for fraud and exploitation by organized networks of fraudsters. At EPA OIG, we’re working hard to mitigate any potential negative impact to our programs and operations. JENNIFER: We’ve touched on the fact that bad actors use business email compromise tactics to steal money and sensitive information. Jason, can you be more specific about how phishing can accomplish those malicious goals? JASON: Fraudsters are looking to access cash and credit accounts. They want to gain control of computer systems and local network resources. They’re also seeking access to organizational accounts and to collect data, all of which they may sell to other bad actors. JENNIFER: Beyond specific applicability to the EPA, the Chemical Safety Board, and their employees, this fraudcast is a public service. What can organizations do to protect themselves from business email compromise scams? JASON: If they haven’t already, organizations should adopt the following practices: One, create policies for receiving new payment instructions, including a multistep verification process. Two, implement email security systems that can detect phishing attempts, domain spoofing, and other cyber threats, and use two-factor authentication to combat account compromise. Three, train staff – not once, but regularly – on cybersecurity best practices and how to recognize phishing emails. Also require staff to report phishing attempts, even if they seem minor. And, finally, any organization that suspects a business email compromise scheme should notify its IT department and its financial institution. Potential fraud relating to a program or operation of the EPA or the Chemical Safety Board should be reported directly to the EPA OIG Hotline as soon as possible to provide us the best opportunity to mitigate or stop any harm. JENNIFER: I’ll provide contact information for the EPA OIG Hotline at the end of this fraudcast. But before we wrap up, what about individual employees? Are there things we should look for in emails that might signal a phishing campaign? JASON: All employees should be vigilant to certain red flags because the employees are our frontline to defend against these kinds of scams. So, while not everything being listed here is going to be always an indicator of fraud, it bears out that most times they’re helpful at identifying when that email actually comes from a fraudster: So, the first one would be unusual requests or demands, including asking for urgent payment, an urgent password change, or something that really generates a quick response. Take some time, think it through. Maybe take the extra step of contacting the person that’s requesting that change, and make sure that they’re from an organization you trust. Second, look at the text of the email. Often times the scammers are from overseas so their grammar, spelling, syntax is not going to be accurate. Pay attention. Inconsistent text and fonts, graphics in the email – all those are indicators that the email is not from within an organization that you would normally trust. If the attachments have words like “invoice,” “bill,” “notice,” “quote,” “overdue,” or “payment” and yet you’re not in the accounts receivable or accounts payment section, you might want to take a second before you pop them open and make sure that it’s a legitimate request for you to look at. An unfamiliar sender’s address should be an indicator that you need to take some extra vigilance. Mouse over the email address and make sure it’s coming from a sender you trust. If your system is indicating that the email is SPAM or that there’s a validation email in the encryption of that email, that’s your system warning you not to touch it, and you should probably listen to it. Anything quarantined in your “junk” file – should take extra time in screening before you move it out of the quarantine file. And, again, if any employee is uncertain about the validity of an email, don’t click the links, don’t open the attachments. Instead, contact your employer’s IT department for assistance and let them help you. And at the EPA or CSB, contact the OIG Hotline direct for help. JENNIFER: Thank you for all of this information, Jason. Our listeners can find the EPA OIG’s fraud alert about business email compromise scams, along with a press release about the multiagency investigation we talked about, on our website at www-DOT-epaoig-DOT-gov. We urge anyone with information about fraud involving an EPA or Chemical Safety Board operation or program to contact the EPA OIG hotline by calling 888-546-8740, emailing OIG-DOT-hotline-AT-epa-DOT-gov, or submitting a complaint form via our website.