U.S. businesses are losing millions in fraudulent wire transfers that have their root in email compromises of accounts belonging to top executives.
An FBI advisory issued Thursday warns businesses that regularly conduct wire transfer payments to be vigilant about potential email account compromises, related to social engineering or hacking.
The FBI said it has received complaints from victims in all 50 U.S. states and 79 countries in all, with fraudulent transfers sent primarily to Hong Kong and China. Most of the victims, the FBI said, are businesses that work with foreign suppliers and move money over wire transfers. Since January, the FBI said there has been a 270 percent increase in the number of victims. “Most victims report using wire transfers as a common method of transferring funds for business purposes; however, some victims report using checks as a common method of payment,” the advisory said. “The fraudsters will use the method most commonly associated with their victim’s normal business practices.”
While phishing remains the primary means of infiltrating organizations, the fraudsters behind these so-called Business Email Compromises (BEC) are using hacking to attack organizations. And they’re doing it with some success, though the FBI’s numbers are a bit fuzzy. Since October 2013, the FBI said there are 7,066 U.S. victims accounting for losses of $748 million; that number, however, includes actual and attempted losses. Worldwide, there are almost 8,200 victims and close to $800 million in actual and attempted losses. Similar numbers provided by international law enforcement push that total to $1.2 billion.
Businesses now have a new tactic to contend with, the FBI said. The scammers also pose as lawyers or law firm representatives over email or phone and pretend to have a pressing confidential matter to discuss. “Victims may be pressured by the fraudster to act quickly or secretly in handling the transfer of funds,” the FBI advisory said. “This type of BEC scam may occur at the end of the business day or work week or be timed to coincide with the close of business of international financial institutions.”
The FBI advises organizations to write rules that flag emails that are similar to the company’s email convention, as well as taking the step of registering domains that could potentially be used for typosquatting and similar scams. Companies should also be vigilant about changes in vendor payment locations and consider adding a secondary individual in an organization who must sign-off on transfers.
The FBI warned that individuals associated with financial services organizations, real estate and law firms are also being targeted in these scams, but with a slightly different twist. The scammers, once they learn an individual’s business email address, spoof an account with an email address similar to the real one, and use that address to initiate fraudulent wire transfers.
“In some cases, the funds from unauthorized wire transfers are directed to money mules located in the United States. In other instances, wire transfers are directed to accounts of financial institutions outside of the United States,” the FBI said. “Victim reporting indicates criminal actors are starting to follow up on wire transfer requests by calling to confirm the transactions or to comply with wire transfer protocols, thus making the transaction appear more legitimate.” The FBI said it received 21 complaints between April and July and $700,000 was lost.