FBI: Major business e-mail scam blasts 270% increase since 2015

FBI says 7,000 U.S. companies that have been victimized by business e-mail compromise

The FBI this week said an e-mail scam that tricks businesses into paying invoices from what looks like established partners is growing exponentially.

The FBI last year even gave the scam its own name -- business e-mail compromise (BEC) – which is a variant of the timeworn “man-in-the-middle” scam and usually involves chief technology officers, chief financial officers, or comptrollers, receiving an e-mail via their business accounts purportedly from a vendor requesting a wire transfer to a designated bank account, the FBI said.

+More from Network World: DARPA: Current DDoS protection isn’t cutting it+

Since the FBI’s Internet Crime Complaint Center (IC3) began tracking BEC scams in late 2013, it has compiled statistics on more than 7,000 U.S. companies that have been victimized—with total dollar losses exceeding $740 million. That doesn’t include victims outside the U.S. and unreported losses, the FBI stated. According to IC3, since the beginning of 2015 there has been a 270% increase in identified BEC victims.

The FBI says the scammers, believed to be members of organized crime groups from Africa, Eastern Europe, and the Middle East, primarily target businesses that work with foreign suppliers or regularly perform wire transfer payments.

The FBI said that not long ago, e-mail scams were fairly easy to spot. The Nigerian lottery and other fraud attempts that arrived in personal and business e-mail inboxes were transparent in their amateurism. Now, the scammers’ methods are extremely sophisticated.

“They know how to perpetuate the scam without raising suspicions,” said FBI Special Agent Maxwell Marker, who oversees the Bureau’s Transnational Organized Crime–Eastern Hemisphere Section in the Criminal Investigative Division. “They have excellent tradecraft, and they do their homework. They use language specific to the company they are targeting, along with dollar amounts that lend legitimacy to the fraud. The days of these e-mails having horrible grammar and being easily identified are largely behind us.”

To make matters worse, Marker says the criminals often employ malware to infiltrate company networks, gaining access to legitimate e-mail threads about billing and invoices they can use to ensure the suspicions of an accountant or financial officer aren’t raised when a fraudulent wire transfer is requested, Marker said in a statement.

+More from Network World: NASA touts real technologies highlighted in imminent 'The Martian' flick+

Instead of making a payment to a trusted supplier, the scammers direct payment to their own accounts. Sometimes they succeed at this by switching a trusted bank account number by a single digit. “The criminals have become experts at imitating invoices and accounts and when a wire transfer happens, the window of time to identify the fraud and recover the funds before they are moved out of reach is extremely short,” Marker said.

Check out these other hot stories:

Attention whitehats, The FTC wants you to lead new privacy, security push

The ultimate auto-pilot software gets $15M boost

Big question of the day: Leonard Nimoy or not?

DARPA: Current DDoS protection isn’t cutting it

DARPA: What are the extreme challenges facing optics and imaging?

NASA touts real technologies highlighted in imminent 'The Martian' flick

DARPA wants low-power chips that handle high-impact applications

Copyright © 2015 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022