Last year, a scam using fraudulent wire transfers caused businesses $215 million in losses.
According to a public service announcement by the Internet Crime Computer Center (IC3), the scam, which is known as the “Business E-mail Compromise” (BEC), claimed 1,198 unique victims in every U.S. state and 45 other countries between October 2013 and December 2014.
Approximately $180 million (around 84%) of the total dollars lost occurred in the United States alone.
There are three different versions to the scam. The first, which has been referred to as “The Bogus Invoice Scheme,” “The Supplier Swindle,” and “Invoice Modification Scheme,” tries to manipulate a business into wiring monies to a fraudulent account that is allegedly owned by a trusted supplier.
“The request may be made via telephone, facsimile or e-mail,” the IC3 alert warns. “If an e-mail is received, the subject will spoof the e-mail request so it appears very similar to a legitimate account and would take very close scrutiny to determine it was fraudulent. Likewise, if a facsimile or telephone call is received, it will closely mimic a legitimate request.”
Brian Krebs discusses the scam’s second version, known as “CEO Fraud,” on his website. In this scenario, fraudsters posing as C-level executives ask a second employee who is usually responsible for processing payments to make a wire transfer to a fraudulent account.
The attackers gain access to those high-level email accounts using carefully crafted spearphishing messages. Some victims have also reported being infected by scareware and ransomware immediately prior to a BEC scam request.
The last version of the scam uses an employee’s hacked email to send requests for invoice payments to multiple vendors.
To protect against this scam, it is recommended that businesses establish out-of-band communication channels and review their policies regarding the authorization of wire transfers.
Given attackers’ ability to evade anti-spam systems, it is also suggested that businesses implement security education programs that are designed to combat phishing, as some CIOs have already begun doing.