Last week, the FBI released a report detailing the growth of “Business Email Compromise” scams. Since January 2015, there has been an increase of 1300% in identified losses. The scam has been reported by victims in all 50 states and in 100 countries. Total losses from October 2013 to May 2016 are over 3 billion dollars!
Don’t expect to see an end to these scams anytime soon because they clearly work! Also, I bet that the dollar number is actually higher. Successful transactions at growing companies probably go undetected for months.
Domestic and International victims: 22,143
Combined exposed dollar loss: $3,086,250,090
With those kinds of numbers, some people assume that scammers are mostly targeting large companies. While certainly targeted, by no means is this limited to large companies. We’ve seen companies of all sizes in a multitude of industries receive fairly convincing requests. As with any phishing operation; the wider the net, the better the catch.
Let’s review the typical process of this scam.
1. Criminal looks up employee profiles on LinkedIn and other social networks to obtain job duties/descriptions. CEOs, CFOs and Accountants are the most common targets.
2. Criminal uses public conference data and company PR to ascertain when the CEO will be traveling or at a popular trade show.
3. Criminal then spoofs the CEO’s email address (work or home) and emails the CFO or Accounting department asking for an urgent wire transfer. In the cases I’ve witnessed firsthand, the scammer usually asks for under $9K. This falls below the transfer limit which most banks would put on a 24 hour hold and will not be reported to the IRS.
4. Fearing the wrath of a stressed out CEO with an urgent request, the targeted employee then follows through with the wire transfer.
5. Criminal enjoys an elegant 5 course dinner and pockets the remaining $8752.63.
The FBI report has a great list of protections and best practices, so I’m not going to repeat them all here, but you can start with:
1. Tell your bank to not allow any international transfers without verifying the legitimacy of requests through secure channels.
2. Setup tagging of email from outside your company’s domain with an [External] prefix and verify SPF records before you get burned.
3. Never hesitate to call the CEO and ask him/her about the wire transfer email he/she sent while on vacation!
Stay safe out there!