FBI Issues Wire Transfer Scam AlertMillions Lost in 'Business E-Mail Compromise' Scheme
See Also: The State of Ransomware Readiness Report
Some victims have reported ransomware cyber-intrusions immediately before a scam starts, the FBI's Internet Crime Complaint Center says in its alert.
The fraudulent wire transfer payments are often sent to foreign banks and may be transferred several times, the FBI says. Banks located in China and Hong Kong are the most commonly reported ending destinations for the fraudulent transfers.
Between October 2013 and December 2014, the FBI's Internet Crime Complaint Center has received complaints from 1,198 U.S. victims and 928 non-U.S. victims of the scam. Total losses for U.S. businesses are $179 million; for businesses outside the U.S., the losses so far have totaled $35 million.
While the scam's tactics aren't new, they have nevertheless proven successful in enabling criminals to steal money, says John Buzzard, manager for products and fraud operations at FICO Card Alert Service. "E-mail compromises work because many business environments today rely so heavily on instant messenger and e-mail communication," he says. "People fall into an 'auto-pilot' mode that desensitizes their perceptions."
Certain variations of this scam have been going on for years, says John LaCour, CEO of online security firm PhishLabs. Those include social engineering attacks on wealth advisers and brokers in which the client is spoofed and the adviser/broker is tricked into sending funds belong to the client.
The victims of the latest scam include businesses of all sizes that purchase or supply a variety of goods, such as textiles, furniture, food and pharmaceuticals, the FBI says. Fraudsters will typically monitor and study their selected victims before initiating the scam.
In one version of the scam, a business that has a longstanding relationship with a supplier is asked to wire funds for invoice payment to an alternate, fraudulent account, the FBI says. The request is often made by telephone or e-mail. If an e-mail is received, the subject will spoof the e-mail request so it appears similar to a legitimate supplier's account and would take close scrutiny to determine it was fraudulent, according to the FBI.
Another version involves the compromise of e-mail accounts of high-level business executives, such as CFOs or CTOs. The account may be spoofed or hacked, and a request is then made for a wire transfer from the compromised account to a second employee within the company responsible for processing such requests, the FBI says. In some cases, a wire transfer from the compromised account is sent directly to a financial institution with instructions to urgently send funds to another bank.
A third version of the scam starts with an employee's e-mail account getting hacked. Once compromised, the fraudster will send requests to various vendors identified from the employee's contact list for invoice payments to fraudster-controlled bank accounts.
Business E-mail Compromise scams, according to the FBI:
- Frequently target businesses and personnel using open source e-mail;
- Often hone in on individuals responsible for handling wire transfers within a business;
- Use spoofed e-mails to very closely mimicking a legitimate e-mail request;
- Use fraudulent e-mail requests for a wire transfer that are well-worded, specific to the business being victimized, and do not raise suspicions to the legitimacy of the request.
The best way for organizations to repel these types of attacks is to launch anti-virus programs and deliver education to the workforce about security best practices, FICO's Buzzard says. "Human error plays a significant role on whether these scams proliferate or not," he says.
Businesses also need to carefully monitor financial transactions, PhishLabs' LaCour says. "Balances should be checked daily, wire transfers must require two parties to be authorized and e-mail messages from executives requesting fund transfers should always be followed up with a telephone call."
Another important step to prevent these fraud schemes is using biometric authentication to verify the identity of users requesting money transfers, says Avivah Litan, a fraud analyst at Gartner, who has advised clients on the scam. "It's not perfect, but you can get 97 percent plus accuracy rates," she says.
Organizations can also communicate fund transfer requests using online portals that utilize strong fraud controls, rather than relying on e-mail, chat applications and phone calls, Litan adds.
Executive Editor Tracy Kitten contributed to this report.