Over the past two and a half years, cybercriminals have managed to steal over $2.3 billion from thousands of companies worldwide by using little more than carefully crafted scam emails.
Known as business email compromise (BEC), CEO fraud or whaling, this type of attack involves criminals impersonating an organization’s chief executive officer, or some other high-ranking manager, and instructing employees via email to initiate rogue wire transfers.
According to an alert issued earlier this week by the FBI, between October 2013 and February 2016, 17,642 organizations from the U.S. and 79 other countries have fallen victim to BEC attacks. The combined losses amount to over $2.3 billion, the agency said.
The scams can take different forms. Instead of an executive, the fraudsters can pose as one of the organization’s foreign business partners or suppliers seeking a payment. The attackers usually do a lot of research about the targeted companies in advance to determine which of their employees handle money transfers and who they should impersonate.
In the more advanced attacks, the hackers can compromise the real email account of a company’s CEO by using phishing or malware. This allows them to send wire transfer requests from the actual email address that the recipient would expect to see. In other cases they use similar domain names or address spoofing techniques.
Sometimes, the attackers gain access to a company’s network or email server weeks in advance and spend time reading the emails sent between employees to understand the organization’s internal workflows before they act.
The amount of the rogue transfers can range between a few thousand dollars to a few million depending on the victim’s organization’s size and industry profile.
Last week, AP reported that back in 2015, a finance executive from toy maker Mattel wired $3 million to a bank in China after falling victim to such an email scam. The unnamed employee received an email that appeared to be from Mattel’s newly appointed CEO requesting that a payment be made to a Chinese vendor.
Reports earlier this year claimed that Belgian bank Crelan lost €70 million and Austrian airplane parts manufacturer FACC Operations lost €50 million following similar attacks.
According to the FBI’s statistics, since January 2015 there has been a 270 percent rise in the number of BEC victims and losses. The agency advises organizations to be wary of wire transfer requests received via email, especially of those that invoke urgency. Employees should seek confirmation over the phone from the company’s senior managers, business partners or suppliers when such requests are received.