Email from the boss? Better check it is really from the CEO and not a lowly fraudster, warns the FBI
Businesses have been warned to be wary of emails pertaining to be from company executives following the discovery of a wire transfer scam that is reaping billions of dollars for fraudsters.
The FBI made the warning about the so called “business email compromise” (B.E.C) swindle in an alert on the website of the agency’s Phoenix bureau. It estimated that over the past three years these scams have cost businesses more than $2.3 billion (£1.6bn) in losses.
“FBI officials are warning potential victims of a dramatic rise in the business email compromise scam or “B.E.C.,” a scheme that targets businesses and has resulted in massive financial losses in Phoenix and other cities,” the FBI said.
“The schemers go to great lengths to spoof company email or use social engineering to assume the identity of the CEO, a company attorney, or trusted vendor,” it added.
The fraudsters apparently actively research staff who deal with the money side of the business, and use language specific to the company they are targeting. “Typically, the fraudsters request a wire fraud transfer using dollar amounts that lend legitimacy,” said the FBI.
Victims have included “large corporations to tech companies”, as well as “small businesses to non-profit organisations.” It said that often the fraudsters will target businesses that deal with foreign suppliers or regularly perform wire transfer payments.
And it is not just American firms being targeted.
The FBI says the scam is present in every US state, as well as “at least” 79 countries around the world. It said that from October 2013 through February 2016, law enforcement received reports from 17,642 victims, which is a staggering number of businesses.
“This amounted to more than $2.3 billion in losses,” said the FBI. “Since January 2015, the FBI has seen a 270 percent increase in identified victims and exposed loss.” It said that in Arizona the average loss per scam is between $25,000 and $75,000.
It recommends that any businesses that thinks it has been a victim of this scam should immediately contact their relevant financial institution and ask for them to contact the financial institution where the fraudulent transfer was sent.
Victims should also file a complaint (regardless of the financial costs) with the IC3 (the US Internet Crime Complaint Centre).
Its advice for businesses is to be be wary of email-only wire transfer requests and requests involving urgency. Staff are urged to pick up the phone and verify legitimate business partners, and also be cautious of mimicked email addresses.
The FBI also recommended that businesses implement multi-level authentication to prevent a fraudster impersonating a company executive.
This is not the first time that the FBI has warned about these BEC scams.
In January 2015 for example, the FBI said that in the last 14 months alone, cyber thieves had stolen nearly $215m (£152m) from businesses using the BEC scam.
Are you a security pro? Try our quiz!