THE TARGET OF BEC (BUSINESS E-MAIL COMPROMISE) OPERATIONS: LEGAL ENTITIES!
Nowadays, Business E-mail Compromise, a type of crime as known as corporate e-mail fraud, shows a significant increase all around the world. The crime targets the companies which make bank transfers and have foreign suppliers. Losses arising from such a crime committed by imitating companies' e-mail accounts could rise up to millions of dollars. Remedy of such losses is mostly impossible if not intervened at early stages.
What is BEC?
BEC is a type of fraud committed by leaking on e-mail conversations between two companies having commercial relationship. Perpetrators firstly leak on a company's commercial e-mail accounts and get access to e-mail correspondences in order to identify their customers having frequent commercial activities with the company. In case they reach to the information on customers' commercial activities in near future required money transfer, they move on to the second stage. At this stage, they open a new fake e-mail address similar to original e-mail address of the company which will receive the money. The fake e-mail accounts are created to make the impression as if they belong to the receiving company's personnel who previously involved in the correspondence. Moreover, most of the time only a single character differs from the original account name. For example if company executive's e-mail account is "name.surname@abcdeholding.com", fake e-mail account would be "their customers having frequent commercial activities with the company. In case they reach to the information on customers' commercial activities in near future required money transfer, they move on to the second stage. At this stage, they open a new fake e-mail address similar to original e-mail address of the company which will receive the money. The fake e-mail accounts are created to make the impression as if they belong to the receiving company's personnel who previously involved in the correspondence. Moreover, most of the time only a single character differs from the original account name. For example if company executive's e-mail account is "name.surname@their customers having frequent commercial activities with the company. In case they reach to the information on customers' commercial activities in near future required money transfer, they move on to the second stage. At this stage, they open a new fake e-mail address similar to original e-mail address of the company which will receive the money. The fake e-mail accounts are created to make the impression as if they belong to the receiving company's personnel who previously involved in the correspondence. Moreover, most of the time only a single character differs from the original account name. For example if company executive's e-mail account is "name.surname@abcdeholding.com", fake e-mail account would be "name.surname@abcdfholding.com''. Then, the perpetrators introduce themselves as the executives of the company via these fake e-mail accounts and give their own IBAN numbers as the new IBAN number of the company to the respondent company with the request for receiving the payments to the new IBAN. These IBAN numbers are generally belonging to bank accounts located in countries where cash flow is relatively difficult to control. Thus, the company makes the payment to the new IBAN assuming that the e-mail has been received from the authorized executive of the company. So that, the money is transferred to the bank accounts of the perpetrators. Then, the money is periodically and frequently transferred between the bank accounts. As a result, perpetrators withdraw the aforesaid sum from the last account, likely opened with fake identity.
Implementations of Turkish Criminal Legislation on BEC
Above explained, BEC constitutes the crime named "fraud committed by using data processing systems as a tool" in Article 158/1-f in the Turkish Criminal Law (Law). Meanwhile, fraud is defined in the Law as "deceiving any person through fraud or secures benefit both for himself and others by giving injury to the victim". However, fraud committed by using data processing systems as a tool is considered as qualified form of the crime. The sanction of this crime is the penalty of imprisonment not less than four years and the judicial fine not less than double the benefit obtained from the crime. In addition, in case the crime is committed by three or more persons, the penalty shall be increased by half; and when the offense is committed within the scope of the activities of an organization which was established to commit a crime, the penalty shall be increased by one fold.
To view the full article please click here.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
