A new, sophisticated phishing scam is making the rounds, and is working so well even smart, savvy executives are falling prey to it. Even the Federal Bureau of Investigation is alarmed at its success rate and is urging organizations to be vigilant.
The FBI first issued a warning in mid-August 2015 about the email scam, but the situation has escalated so much that the agency issued a second warning in October.
According to FBI agent Scott Augenbaum, “Despite a warning about these email scams, over the past three weeks I have seen an increase in this activity. Over the past three days I have heard of three separate victims in middle Tennessee with losses exceeding half a million dollars. This crisis-level situation merits a second warning.”
What to Watch Out For
Called a Business E-mail Compromise (BEC) attack, this spam is the fastest-growing criminal fraud activity hitting businesses of all sizes. Already 7,000 U.S. companies have received BEC spam. So far they’ve cost the corporate world $1.2 billion in damages.
Our own CFO at Clearwater Compliance received an email recently that spoofed an internal demand for a wire transfer so convincingly that it temporarily caused confusion. She was experienced enough to call the “sender” for verification, which confirmed that it was not genuine.
The simplicity of the scam is perhaps its greatest strength. It’s not some shady-sounding, anonymous person requesting assistance in handling money from another country, a la the infamous Nigerian scams. It’s simply an email from the company’s CEO to the CFO stating that they need to make an urgent money transfer and instructing them how to execute it swiftly.
The spam involves using compromised or bogus email accounts. Typically any distinguishing features in the companies’ emails are mimicked, including the email address, often with an easily overlooked change in a single letter.
According to the FBI, the spammers employ multiple methods. But a common theme is waiting until the CEO or CFO is away on official travel before sending the wire transfer request. This makes it more likely that the individual would use e-mail for official business and therefore harder to verify the transaction as fraudulent. These requests typically state the transfer is urgent or concerns confidential matters to prevent investigation.
How to Avoid a BEC Scam
First, and foremost, stated Augenbaum, “If anyone in your organization, such as your CFO, receives an email from your CEO or any executive asking them to wire transfer money for any reason, make sure they make a telephone call first to double check the accuracy.”
Sometimes even the smartest people can be caught off guard by clever and persistent cybercriminals. The best defense with the BEC scam is arming yourself with knowledge.
Read more about the BEC scam, common versions of the emails, suggestions for protecting your company from becoming a victim, and guidelines for filing an IC3 complaint on the FBI’s Internet Crime Complaint Center (IC3) website.