The FBI has issued a warning to businesses about fast-growing email scams in which fraudsters posing as company executives order staff to transfer money to accounts controlled by criminals.
There has been a “dramatic rise” in such “business email compromise” scams, resulting in more than $2.3 billion in losses to businesses in every U.S. state and in at least 79 countries from October 2013 through February of this year, according to the FBI.
“The schemers go to great lengths to spoof company email or use social engineering to assume the identity of the CEO, a company attorney, or trusted vendor,” the FBI said in an alert posted earlier this week on the website of its Phoenix office. “They research employees who manage money and use language specific to the company they are targeting, then they request a wire fraud transfer using dollar amounts that lend legitimacy.”
The range of victims is broad, from large corporations to tech companies to small businesses to even nonprofits. In many cases, fraudsters target businesses that work with foreign suppliers or regularly perform wire transfer payments. Since January 2015, the number of identified victims and exposed loss has risen nearly threefold, according to the FBI.
Those figures should continue to escalate as the big profits from scams attract more criminals, according to Reuters.
“It’s a low-risk, high-reward crime. It’s going to continue to get worse before it gets better,” said Tom Brown, a former federal prosecutor who now runs the cyber investigations unit of Berkeley Research Group.
The FBI recommended that business scam victims immediately contact their financial institution and request that it contact the financial institution to which the fraudulent transfer was sent. Businesses should also immediately file a complaint — regardless of dollar loss — with the FBI’s Internet Crime Complaint Center (IC3).
The agency also advised businesses to be wary of e-mail-only wire transfer requests and requests involving urgency, and to verify legitimate business partners. Businesses should also be cautious of mimicked email addresses and use multi-level authentication.