The amount of money businesses are wrongly wiring to fraudsters due to email scams has risen a massive 2,370 percent over the past two years, according to the FBI.
Over the past three years businesses across the world have lost as much as $5.3 billion to email fraudsters, according to new FBI figures.
The scam, known as business email compromise (BEC), is carried under the guise of a CEO, or other senior executives, who direct a subordinate to wire money to a supplier’s account. The bank account however is controlled by the fraudster and the senior executive's email address has been spoofed or hacked.
The fraud takes numerous forms, including email supposedly from a supplier, business partner, or lawyer. And while fraudsters have targeted the real estate sector over the past year, Silicon Valley firms have also been duped.
A Lithuanian national arrested in March was charged with an elaborate $100m BEC fraud carried out over two years against two US tech firms by posing as an Asian hardware supplier. The supplier that was impersonated turned out to be Taiwan’s Quanta Computer and the victims, as Fortune reported last week, were Facebook and Google, whose accounting department staff had been roped in to make a series of payments in the tens of millions over a two-year period, starting in 2013.
The FBI has been tracking BEC losses in the US and internationally since October 2013. Last year it counted 17,642 organizations from the U.S. and 79 other that had lost $2.3bn between October 2013 and February 2016.
Taking into account reports up to December 2016, some 40,203 organizations from all 50 U.S. states and 131 countries may have lost up to $5.3bn.
The figures are based on filings from financial institutions. Statistics based on reports by victims are far smaller.
Tim Bentley, ANZ MD of Proofpoint told CSO Australian businesses are frequently exposed to the scam, which often takes months to discover.Read more: Got any HTTP page with a search field? Chrome will soon label it ‘Not Secure’
"Locally the BEC approach is transitioning from an actor purporting to be a CEO or CFO and requesting a wire transfer to an actor purporting to be a businesses' existing supplier and requesting a wire transfer for an invoice payment. Often it takes several months before the business realizes it has been wiring money to a fraudulent account," said Bentley.
"Employers need to ensure they are putting internal finance and purchasing controls in place to authenticate legitimate wire requests," he added.
The FBI notes that small, medium and large businesses are targeted. Fraudsters often study targets in depth and may phish employees for additional details or attempt to infect the target with ransomware before the fraud.
The agency recorded a 480 percent rise in the complaints filed by real estate firms last year. Attackers monitor real estate deals and wait for the right moment to inject a request to change a payment from cheque to wire transfer, it said.
It also saw a 50 percent increase in complaints from businesses working with dedicated international suppliers.
To avoid becoming a victim, the FBI recommends businesses avoid using free web email services and establish a company email domain, as well as setting up two-factor authentication.
It also urges targeted employees not to use the "reply" button but rather the less convenient "forward" option, which requires the user type in the recipient's address -- preferably one from their contacts list.
The FBI has published further recommendations here.
At the recent CSO Perspectives Roadshow International keynote speaker Jeff Lanza (former FBI) talked about this also in his presentation, to watch him on stage view here