This email scam targeting businesses is a billion-dollar problem, FBI warns

Email scamThe FBI is warning businesses to be on the lookout for emails sent by scammers to trick them into transferring money to fraudulent accounts.

Email scams have been around for decades, but old-school Advance Fee Fraud scams these are not.

The FBI calls this family of scams “Business Email Compromise” (BEC) scams, because they use phony emails that appear to come from a colleague or from a trusted supplier.

Since October 2013, BEC scams have cost businesses around the world over $1.2 billion, the FBI said last week.

Although the BEC scam has victimized businesses in 80 countries, those in the United States have suffered the most.

7000 US businesses have reported $747 million in losses, with an average loss of $130,000, the FBI said.

The scammers, who appear to be members of organized crime groups operating out of Africa, Eastern Europe and the Middle East, are targeting businesses that work with overseas suppliers or regularly make wire transfer payments.

But instead of sending funds to legitimate suppliers, the money transfers end up in bank accounts controlled by the fraudsters, mostly with banks based in China.

The scammers succeed by compromising legitimate email accounts through social engineering or malware that steals account credentials.

The fraudsters then use access to email accounts to gather intelligence such as information about billing and invoices that won’t raise the suspicion of employees who send transfer payments.

FBI Special Agent Maxwell Marker said the scammers have become adept at imitating invoices and accounts, giving them a sophistication beyond any similar scam previously seen by the FBI.

According to Marker:

They know how to perpetuate the scam without raising suspicions. They have excellent tradecraft, and they do their homework. They use language specific to the company they are targeting, along with dollar amounts that lend legitimacy to the fraud. The days of these emails having horrible grammar and being easily identified are largely behind us.

In one example of the scam, an accountant from a US business reported receiving what appeared to be an email from the company CEO requesting a wire transfer by the end of the day for an important acquisition.

The email said a lawyer would be sending a letter of authorization, but the authorization letter turned out to have a forged signature from the CEO and an “official seal” that was copied from the company’s public website.

The email from the “CEO” actually came from a phony email account that was off by one letter – it used a .co domain instead of the company’s real .com domain.

According to the public service announcement released by the FBI’s Internet Crime Complaint Center (IC3), BEC email scams are proliferating rapidly – up 270% since the beginning of 2015.

What to do?

When the FBI previously issued a warning about BEC scams, we offered some security tips for avoiding this kind of email threat.

I asked Naked Security writer and Sophos expert Paul Ducklin to offer a few more tips – here’s what he recommends:

  • Revisit your outbound email filtering rules to prevent sensitive information from going out to inappropriate destinations.
  • Require multiple approvals for overseas wire transfers.
  • Have strict controls over changes in payment details or the creation of new accounts.
  • Use strong passwords and consider two-factor authentication (2FA) to make it harder for crooks to gather intelligence from your network in the first place.
  • Consider a “back to base” VPN for remote users so their online security is kept up, even on the road.
  • Have your own “central reporting” system, in the manner of IC3, where staff can call in suspicious messages to prevent crooks trying different employees with the same scam until a weak spot is found.
  • Think twice about publicly posting personnel information that could be abused in phishing attacks.

Image of malicious emails courtesy of