The FBI is warning businesses that work with foreign suppliers to be on the lookout for email scams that attempt to trick business owners into making fraudulent wire transfers.
Over a three month-period from October to December, a total of $179.7 million was bilked from nearly 1,200 victims using a tactic the FBI calls Business E-mail Compromise. Businesses that routinely make wire transfer payments are at the greatest risk of being targeted in an attack, according to a public service announcement issued last week by the FBI's Internet Crime Complaint Center.
"The FBI assesses with high confidence the number of victims, and the total dollar loss will continue to increase," according to the announcement issued last week.
Once a business owner or other employee is tricked into making a wire transfer to a foreign bank, the criminals transfer the funds into a global money-laundering network. "Asian banks, located in China and Hong Kong, are the most commonly reported ending destination for these fraudulent transfers,” according to the announcement.
In addition to victims in the U.S., the FBI said it has documented nearly 1,000 non-U.S. victims in 45 countries associated with the scam.
The FBI said it has seen a wide variety of versions of the scam, including requests made by telephone. Typically a business may have a long-standing relationship with a supplier, and an email or phone call to an employee with privileged access to account information is asked to wire funds for an invoice payment to an alternate fraudulent account, the FBI said. The email is accompanied by a bogus invoice that spoofs a legitimate one used by the foreign supplier.
Some phishing attacks target high-level business executives, compromising their email accounts to send a bogus message to an employee within the company responsible for processing requests. Attackers also have used hijacked email accounts from other employees to send bogus email messages requesting the fraudulent wire transfer, the FBI said.
“Fraudulent email requests for a wire transfer are well-worded, specific to the business being victimized, and do not raise suspicions to the legitimacy of the request,” the FBI said.
Victim organizations vary in size from small businesses with a few employees all the way up to large enterprises. The criminals behind the global attack campaign monitor their selected victims prior to sending out a phishing email. They identify employees that have the access necessary to perform wire transfers within the business environment, the FBI said.
"These businesses may purchase or supply a variety of goods, such as textiles, furniture, food and pharmaceuticals," the FBI said. "This scam impacts both ends of the supply chain, as both supplies and money can be lost and business relations may be damaged."
The attack is a common and long-standing problem that takes advantage of human fallibility, according to solution providers interviewed by CRN. Employees with the authority to transfer funds must be trained to be vigilant for the scam. While antispam and antiphishing technology does a fairly good job spotting the attacks, criminals have gotten better at spoofing email messages. The targeted nature of the request typically can get the bogus messages past spam filters.
Organizations need to foster a culture of security, but it isn't something that can happen overnight, said Justin Flynn, a consultant and network security specialist with Chicago-based solution provider Burwood Group. Employee training is essential, and the leadership within the organization needs to fully support the culture change, Flynn said.
“Businesses are growing increasingly aware of threats of all kinds that can have a serious impact to a business' reputation and bottom line,” Flynn said. "There's no doubt that security is becoming top of mind.”
The FBI said the fraudulent funding requests have been similar to the normal business transaction amounts to avoid raising suspicion. Employees that use free, web-based email are at a higher risk of being targeted. Scammers often use social media and company websites to identify targeted employees who have the ability to transfer funds at an organization.
The FBI advises businesses to use multifactor authentication and establish protocols with foreign suppliers to verify a payment request. Organizations should also avoid using the "reply" button when sending email correspondence to an invoice request and should use the "forward" option and manually type in the valid email address of the foreign supplier.
PUBLISHED JAN. 28, 2015