NEW YORK (MainStreet) – In business, you're surrounded by security concerns: your checking and investment accounts, inventory, employees and credit cards. Email hacks seem trivial by comparison. But the FBI's Internet Crime Complaint Center (IC3) has issued an alert that reveals a growing threat to commerce by compromised business email. It's not just an inconvenience; it's a spreading global scam.
In just over a year, the IC3 has tracked some 2,000 victims and $215 million in losses from what has been known as "man-in-the-email" scams. The most common targets are businesses who work with foreign suppliers – and especially firms that regularly perform wire transfer payments.
These business email scams take numerous forms, one of the most common being to recruit victims to serve as "money mules," according to the IC3. The fraud involves recruiting a victim to serve as a middle man in the transfer of funds. Attorneys are often targeted in these schemes, often receiving retainers or recruited to represent litigants in a payment dispute. While the disputes are often real, the checks often aren't.
Other businesses targeted by these rackets are companies that purchase large quantities of goods, such as furniture, food and pharmaceuticals. Many times the fraud will cause the loss of money and inventory.
"It is still largely unknown how victims are selected; however, the subjects monitor and study their selected victims prior to initiating the BEC (business email compromise) scam," the IC3 alert says. "The subjects are able to accurately identify the individuals and protocol necessary to perform wire transfers within a specific business environment. Victims may also first receive 'phishing' e-mails requesting additional details of the business or individual being targeted (name, travel dates, etc). Some victims reported being a victim of various scareware or ransomware cyber intrusions, immediately preceding a BEC scam request."
The FBI says there are three primary cons to be on the lookout for:
- Wire requests that are made to an alternate account. This request often originates from a spoof email, but can also be received by phone or fax.
- An exec's email account is hacked and issues a wire transfer request to a second employee.
- An employee's personal email account is compromised and issues payment requests to business associates, to be delivered to bogus accounts.
Unlike consumer-targeted phishing emails, these fraudulent payment requests are usually hard to detect. Individuals actually responsible for company wire transfers are usually targeted, the requests are well-worded, requesting typical payment amounts, are industry specific and often don't trigger suspicion.
Once implemented, the wires are often impossible to reverse. The transfers are usually sent to foreign banks and quickly dispersed. The IC3 says Asian banks, located in China and Hong Kong, are the most commonly reported final destination for these fraudulent transfers.
The FBI says businesses should avoid free, web-based email services, monitor company information that is disclosed through social media, and be wary of "urgent" requests and transactions that include sudden changes to normal procedures.
--Hal M. Bundrick is a Certified Financial Planner and contributor to MainStreet. Follow him on Twitter: @HalMBundrick