The FBI says it has seen a huge increase in the volume of business email compromise scams hitting enterprises in the last year, and estimates that losses from the scheme have hit $2.3 billion now.
Like normal phishing scams, these kinds of attacks rely on highly believable messages and a healthy dose of social engineering to get the job done. Typically, an attacker will send an email to a victim inside a target organization, saying that funds need to be transferred immediately to an outside account. The email usually has a spoofed sender address and appears to come from the CEO, CFO, or other top executive inside the target company.
The losses from these attacks are staggering, as the FBI’s new numbers show. Since October 2013, when the bureau began tracking the scams, through February of this year, the FBI says it has received more than 17,000 complaints about the attacks, which also are known as CEO email scams. In that time, total losses by businesses have amounted to $2.3 billion, the bureau says.
“The schemers go to great lengths to spoof company e-mail or use social engineering to assume the identity of the CEO, a company attorney, or trusted vendor. They research employees who manage money and use language specific to the company they are targeting, then they request a wire fraud transfer using dollar amounts that lend legitimacy,” the FBI’s alert says.
“There are various versions of the scams. Victims range from large corporations to tech companies to small businesses to non-profit organizations. Many times, the fraud targets businesses that work with foreign suppliers or regularly perform wire transfer payments.”
It’s not just smaller or unsophisticated businesses that fall for these scams, either. Last week, details emerged of an attack on Mattel that nearly cost the company $3 million. A finance executive at the company got an email from what seemed to be the CEO, asking her to send a payment of $3 million to one of the company’s vendors in China. She did, and only after checking with the CEO later did she realize that he hadn’t sent the email. The company worked with the United States and Chinese law enforcement and got the money back a few days later, something that is a rarity with these attacks.
In January, Crelan Bank in Belgium lost $75 million in a similar scheme, and a manufacturing company in Austria lost about €50 million in a phishing scheme, too.