FBI and IRS warn of pervasive, maddening business, consumer scams

FBI says man-in-the-middle e-mail scam cost victims $214M; IRS says phone scam has 3,000 victims who've paid over $14M.

The FBI and IRS separately this week warned of a couple timeworn but highly effective scams that continue to grow and strip businesses and consumers of cash.

First, the FBI is again warning businesses to be aware of a growing scam that tricks them into paying invoices from established partners that look legitimate but in fact are fraudulent.

+ More on Network World: The hottest 3D printing projects +

The FBI says the fraud is a tweak of the "man-in-the-middle" scam and usually involves chief technology officers, chief financial officers, or comptrollers, receiving an e-mail via their business accounts purportedly from a vendor requesting a wire transfer to a designated bank account, the FBI said.

The FBI even changed the name of the scam now calling it the Business E-mail Compromise (BEC) of the "business angle" of this scam and to avoid confusion with another unrelated scam.

The fraudulent wire transfer payments associated with BEC are sent to foreign banks and may be transferred several times but are quickly dispersed. Asian banks, located in China and Hong Kong, are the most commonly reported ending destination for these fraudulent transfers.

The Internet Crime Complaint Center (IC3) has received BEC complaint data from victims in every U.S. state and 45 countries. From 10/01/2013 to 12/01/2014, the following statistics are reported:

  • Total U.S. victims: 1198
  • Total U.S. dollar loss: $179,755,367.08
  • Total non-U.S. victims: 928
  • Total non-U.S. dollar loss: $35,217,136.26
  • Combined victims: 2126
  • Combined dollar loss: $214,972,503.30

According to the FBI, it is still largely unknown how victims are selected; however, the subjects monitor and study their selected victims prior to initiating the BEC scam.

"The subjects are able to accurately identify the individuals and protocol necessary to perform wire transfers within a specific business environment. Victims may also first receive "phishing" e-mails requesting additional details of the business or individual being targeted (name, travel dates, etc). Some victims reported being a victim of various Scareware or Ransomware cyber intrusions, immediately preceding a BEC scam request," the FBI says.

Also, based on IC3 complaints and other complaint data received since 2009, there are three main versions of this scam:

Version 1

A business, which often has a long standing relationship with a supplier, is asked to wire funds for invoice payment to an alternate, fraudulent account. The request may be made via telephone, facsimile or e-mail. If an e-mail is received, the subject will spoof the e-mail request so it appears very similar to a legitimate account and would take very close scrutiny to determine it was fraudulent. Likewise, if a facsimile or telephone call is received, it will closely mimic a legitimate request. This particular version has also been referred to as "The Bogus Invoice Scheme," "The Supplier Swindle," and "Invoice Modification Scheme."

Version 2

The e-mail accounts of high-level business executives (CFO, CTO, etc) are compromised. The account may be spoofed or hacked. A request for a wire transfer from the compromised account is made to a second employee within the company who is normally responsible for processing these requests. In some instances a request for a wire transfer from the compromised account is sent directly to the financial institution with instructions to urgently send funds to bank "X" for reason "Y." This particular version has also been referred to as "CEO Fraud," "Business Executive Scam," "Masquerading," and "Financial Industry Wire Frauds."

Version 3

An employee of a business has his/her personal e-mail hacked. Requests for invoice payments to fraudster-controlled bank accounts are sent from this employee's personal e-mail to multiple vendors identified from this employee's contact list. The business may not become aware of the fraudulent requests until they are contacted by their vendors to follow up on the status of their invoice payment.

In the end, the scheme is usually not detected until the company's internal fraud detections alert victims to the request or company executives talk to each other to verify the transfer was made.

Meanwhile the IRS says it is still battling aggressive and threatening phone calls being made by criminals impersonating IRS agents.

The IRS has seen a surge of these phone scams in recent months as scam artists threaten police arrest, deportation, license revocation and other things. The IRS reminds taxpayers to guard against all sorts of con games that arise during any filing season.

"If someone calls unexpectedly claiming to be from the IRS with aggressive threats if you don't pay immediately, it's a scam artist calling," said IRS Commissioner John Koskinen in a statement. "The first IRS contact with taxpayers is usually through the mail. Taxpayers have rights, and this is not how we do business."

Phone scams in fact for the first time top the Dirty Dozen scam list compiled annually by the IRS and lists a variety of common scams taxpayers may encounter any time during the year.

+More on Network World: IRS warns on 'Dirty Dozen' tax scams for 2014+

Phone scams top the list this year because it has been a persistent and pervasive problem for many taxpayers for many months. Scammers are able to alter caller ID numbers to make it look like the IRS is calling. They use fake names and bogus IRS badge numbers. They often leave "urgent" callback requests. They prey on the most vulnerable people, such as the elderly, newly arrived immigrants and those whose first language is not English. Scammers have been known to impersonate agents from IRS Criminal Investigation as well.

"These criminals try to scare and shock you into providing personal financial information on the spot while you are off guard," Koskinen said. "Don't be taken in and don't engage these people over the phone."

The Treasury Inspector General for Tax Administration (TIGTA) has received reports of roughly 290,000 contacts since October 2013 and has become aware of nearly 3,000 victims who have collectively paid over $14 million as a result of the scam, in which individuals make unsolicited calls to taxpayers fraudulently claiming to be IRS officials and demanding that they send them cash via prepaid debit cards.

The IRS reminded consumers that they could know pretty easily when a supposed IRS caller is a fake. Here are five things the scammers often do but the IRS will not do.

According to the IRS the agency will never:

  • Call to demand immediate payment, nor will the agency call about taxes owed without first having mailed you a bill.
  • Demand that you pay taxes without giving you the opportunity to question or appeal the amount they say you owe.
  • Require you to use a specific payment method for your taxes, such as a prepaid debit card.
  • Ask for credit or debit card numbers over the phone.
  • Threaten to bring in local police or other law-enforcement groups to have you arrested for not paying.

Join the CSO newsletter!

Error: Please check your email address.

Tags IRSsecurityfbiInternet Crime Complaint Center

More about FBIIRS

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Michael Cooney

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts