This is the first in a series of articles about increasingly sophisticated cyber scams, and follows several alerts issued by the FBI’s Internet Crime Complaint Center (IC3). These scams include: (1) Business Email Compromise; (2) Ransomware; (3) Wireless Keystroke Loggers Disguised as USB Device Charger; and (4) Extortion Emails Tied to Recent Data Breaches. We’ll address each of these scams in this series.
Business Email Compromise
This cyber scam is also known as the “faked CEO email” because it often involves a hacked email sent from a company executive, sometimes when they are off-site, with an urgent time frame attached. The FBI provides the following description:
The schemers go to great lengths to spoof company e-mail or use social engineering to assume the identity of the CEO, a company attorney, or trusted vendor. They research employees who manage money and use language specific to the company they are targeting, then they request a wire fraud transfer using dollar amounts that lend legitimacy….There are various versions of the scams. Victims range from large corporations to tech companies to small businesses to non-profit organizations. Many times, the fraud targets businesses that work with foreign suppliers or regularly perform wire transfer payments.
In a recent update on this scam, the Phoenix office of the FBI disclosed several troubling statistics:
- Law enforcement globally has received complaints from victims in every U.S. state and in at least 79 countries.
- From October 2013 through February 2016, law enforcement received reports from 17,642 victims.
- This amounted to more than $2.3 billion in losses.
- Since January 2015, the FBI has seen a 270 percent increase in identified victims and exposed loss.
- In Arizona the average loss per scam is between $25,000 and $75,000
In a bulletin from August 2015, the FBI noted the increasing sophistication of these email scams:
Not long ago, e-mail scams were fairly easy to spot. The Nigerian lottery and other fraud attempts that arrived in personal and business e-mail inboxes were transparent in their amateurism. Now, the scammers’ methods are extremely sophisticated. They know how to perpetuate the scam without raising suspicions….They have excellent tradecraft, and they do their homework. They use language specific to the company they are targeting, along with dollar amounts that lend legitimacy to the fraud. The days of these e-mails having horrible grammar and being easily identified are largely behind us.
The fraudsters’ scheme requires that the faked email not be challenged or verified, and rely on the recipient to assume that the email is legitimate. Some sophisticated fraudsters will spend considerable time studying the syntax and language mannerisms of the CEO in order to make the spoofed message appear to be the real thing. The FBI included the following tips to reduce the risk of falling victim to this fraudulent activity:
- Be wary of e-mail-only wire transfer requests and requests involving urgency
- Pick up the phone and verify that the request is legitimate!
- Be cautious of mimicked e-mail addresses
- Practice multi-level authentication.
In the event that you fall prey to the this scam and transfer funds to a fraudulent account, the FBI recommends that you act quickly as follows:
- Contact your financial institution immediately upon discovering the fraudulent transfer.
- Request that your financial institution contact the corresponding financial institution where the fraudulent transfer was sent.
- Contact your local Federal Bureau of Investigation (FBI) office if the wire is recent. The FBI, working with the United States Department of Treasury Financial Crimes Enforcement Network, might be able to help return or freeze the funds.
- File a complaint, regardless of dollar loss, with www.IC3.gov.
The takeaway? The internet remains a hazardous neighborhood at times. Constant vigilance is necessary, particularly with respect to financial transactions.
In part 2 of this series, we will address recent alerts on the rising epidemic of ransomware. Stay tuned.