Businesses have lost millions of dollars through a scam targeting firms that work with foreign suppliers or who regularly perform wire transfer payments.
Losses of $800 million (£521 million) have been reported to the Federal Bureau of Investigation (FBI) between October 2013 to August this year, both in and outside the US. Similar incidents identified by international law enforcement agencies during the period bring the total exposed losses to more than $1.2 billion (£800 million).
The scam is carried out by compromising legitimate business e-mail accounts through social engineering or computer intrusion techniques to conduct unauthorised transfers of funds, the FBI said in a public service announcement. The fraudsters will use the method most commonly associated with their victim’s normal business practices.
The FBI said that business email compromise (BEC) fraud has seen a 270 per cent increase since January. Businesses of all sizes have been targeted in all 50 US states and in 79 countries, the FBI said. The fraudulent wire transfers have been reported going to 72 countries, mostly to Asian banks in China and Hong Kong.
The fraud can start with a phishing scam where the victim receives an e-mail from a seemingly legitimate source that contains a malicious link.
Clicking on the link downloads malware, allowing the fraudsters access to data, including passwords or financial account information.
Fraudsters also contact companies by e-mail or phone pretending to be lawyers or representatives of law firms claiming to be handling confidential or time-sensitive matters.
The FBI said that victims may be pressured by the fraudster to act quickly or secretly in handling the transfer of funds, and that the scam may occur at the end of the business day or work week or be timed to coincide with the close of business of international financial institutions.
Raised awareness has helped some businesses detect the scam before transfers are made, and some financial institutions are holding customer requests for longer to verify them.
Businesses are also employing a range of new measures for added protection. They include:
• Creating a system that flags e-mails with extensions that are similar to company e-mail.
• Registering all company domains that are slightly different than the actual company domain.
• Having a secondary sign-off by company personnel.
• Using previously known numbers for verification, not the numbers provided in the e-mail request.
• Knowing the payment habits of customers.
• Scrutinising all e-mail requests for transfer of funds.
The FBI advised any victims to contact their financial institution immediately after discovering the fraudulent transfer and contact the FBI if the wire was recent.