The scam business of tricking employees into opening company coffers by spoof e-mails apparently from their CEO is on the rise.
The FBI says that the so-called business e-mail compromise scam has caused $2.3 billion in losses to 17,642 business and non-profit organizations in the U.S. and other countries since October 2013, with the number of victims nearly tripling since January 2015.
This week the Federal Trade Commission blog wrote that the CEO schemers first study their intended victims closely.
“Social media websites, a company’s own website, and news reports can give employees’ names, job titles, email addresses, and telephone numbers, as well as information about the company’s business dealings. Fraudsters also pose as third parties – perhaps the company’s bank, a vendor, or someone legitimately seeking information – in phishing emails and pretexting calls designed to trick employees into disclosing confidential information.”
“The subjects are able to accurately identify the individuals and protocol necessary to perform wire transfers within a specific business environment. Victims may also first receive “phishing” e-mails requesting additional details of the business or individual being targeted (name, travel dates, etc). Some victims reported being a victim of various Scareware or Ransomware cyber intrusions, immediately preceding a BEC scam request,” the FBI says.
With a company’s information, scammers can spoof, or fake, an email to an employee who they know can transfer money or pay invoices for the company, making the email look like it’s coming from an executive officer, regular vendor or other trusted source. In some cases, hackers break into a company’s email system and send urgent requests for money transfers. Once the money is wired, it can be nearly impossible to recover, the FTC wrote.
The FBI wrote of these “business e-mail compromise scam” victims range from large corporations to tech companies to small businesses to non-profit organizations. Many times, the fraud targets businesses that work with foreign suppliers or regularly perform wire transfer payments.
The agency also wrote that law enforcement globally has received complaints from victims in every U.S. state and in at least 79 countries; From October 2013 through February 2016, law enforcement received reports from 17,642 victims; this amounted to more than $2.3 billion in losses; and that Since January 2015, the FBI has seen a 270% increase in identified victims and exposed loss.
The FTC recommends these tips to fight CEO imposter scams:
- Establish a multi-person approval process for transactions above a certain amount.
- Set up a system that requires a valid purchase order and approvals from a manager and a finance officer to spend money.
- Verify by phone any changes in vendor payment information and fund transfer requests.
- Remember – email never is a secure way to send financial information. Don’t transmit account information by email and question any emailed payment requests that include account information.
- Slow down. Take time to verify any request, even an urgent one. And be suspicious of any request for secrecy.
This article was written by Michael Cooney from NetworkWorld and was legally licensed through the NewsCred publisher network.