Business Email Compromise (BEC) scams are impersonation emails sent to selected recipients – often a CFO or assistant, that appear to be from a CEO – requesting an immediate wire transfer with attached account details. According to the FBI, thieves stole nearly $740 million in such scams from more than 7,000 victim companies in the U.S. between October 2013 and August 2015.
Vistaprint, a web services company, has unwillingly become a conduit for increasing email scams by promoting a free one month trial of their Website Builder product. This is a great deal for the Vistaprint user: they can choose a domain, a website design, and a free a month trial before committing to a longer term service contract. Unfortunately that free one month trial is aiding a growth in BEC scams across a breadth of industries.
Fraudsters are exploiting Vistaprint’s promotion by registering confusingly similar domain names to legitimate brands in order to send personalized imitation emails to financial executives requesting a wire transfer (or similar social engineering tactic). After the one month trial is up, Vistaprint often finds that the credit card given during registration is stolen or invalid. By then the fraud has already been perpetrated and the fraudster has moved on to their next scam.
MarkMonitor has established a quick enforcement scenario for these types of fraudulent domain registrations and are working closely with Vistaprint to get domain issues mitigated swiftly. Vistaprint is the registrant and can delete the registration in the first five days to avoid being charged by the registrar, Tucows, for the domain name. In the event that the fraud is detected after five days then MarkMonitor can request Tucows suspend the domain registration. The brand owner, if they wish to, can then submit a snap order to defensively register the domain when it is released into general availability again.
Despite the threat of fraud, the promotion seems to be working for Vistaprint. What may help curb this problem is if service providers such as Vistaprint were to run their customer’s credit card at the time of registration for a small, token amount – such as $1 – simply to confirm legitimacy of the account. While it won’t prevent all fraudulent registrations or BEC scam activity within their service offering, it could reduce the ease with which the fraudsters have been exploiting this vulnerability.