FBI report: CEO email scams on the rise
In a world increasingly dependent on the internet and technology, email scams and other methods of attack have become a real threat to businesses. Due to the growing ubiquity of online banking and e-commerce, the internet is a better platform than ever for running a scam — and this has gotten so dangerous that parts of the U.S. government have had to speak out against it.
The FBI And email scams
The B.E.C. (business email compromise) scam has become more popular than ever. With this form of scamming, the scammers disguise themselves as trusted employees/partners by spoofing company email addresses or pretending to be someone they’re not, like a business partner. This can happen to any business of any size, but often the businesses that deal with foreign suppliers or regularly wire their payments are the ones targeted.
The FBI reports that from October 2013 to February 2016, more than 17,500 businesses have been victimized by email spoofing, totaling more than $2.3 billion in total losses. According to this report, since January of last year the scam has increased by 270%. But this isn’t the only big scam happening to businesses in the United States and beyond.
The IRS and phone/email scams
In February 2016, the IRS was forced to release a notice on phone scams. As tax season approached, scammers would approach their potential victims by sending false tax bills; use robot calls to harass them, or even take the email route.
The usual method was being called on the phone and suddenly being told that you would be arrested or taken to court if you didn’t pay right away. Due to a general wariness of the government and a lack of knowledge on how these big parts of it work, many people just listened to these threats and paid up so they would stop being harassed, not knowing the IRS wasn’t behind it at all.
Email spoofing doesn’t just happen when scammers are impersonating your boss or a business partner. They can happen with government agencies, too. This kind of behavior is called phishing.
What Is phishing?
In short, phishing happens when scammers are impersonating a business, institution or person in order to acquire personal information or money from their victims. Phishing can be done fairly subtly, too — emails sent from official-looking addresses that lead to fake login pages are common on the Internet, though most web mail services keep a close eye on behavior like this.
In the case of the IRS scams, phishers were impersonating a large, scary government agency in order to force money out of people. Since people fold under pressure, it worked! What these people didn’t know is that the IRS doesn’t call people to demand payment, doesn’t jump to arrests for not paying (though this can be a legal matter if it’s gone on for many years), and absolutely doesn’t demand personal information over the phone. All of these behaviors are red flags coming from anyone, not just a “government agency”.
Wire transfer issues
The problems with wire transfers are very serious — involving payments that could amount to thousands, if not millions of dollars in just a single transaction. Email scammers use what is referred to as social engineering — as well as software that is able to identify emails that talk about wire transfers. They also know when a CEO is away from the office and which employees handle the company’s finances — details that, if obtained by cyber criminals, can be very dangerous and can leave a company in a difficult and costly situation.
What these schemers do is intercept the confirming email and then change the wiring information en route so that the recipient receives an email with different wiring instructions — with the sender and receiver fully unaware that the email has been tampered with. They also use language that is specific to their targeted company, which could make it difficult for employees to detect that they received a spoofed email. This is a whole new level of cyber-crime and businesses should take stronger security measures against these attacks.
6 ways to protect yourself
- Have your IT staff configure your email settings so that bogus emails are blocked and do not reach the inbox.
- Find out which of your employees are phish-prone: KnowBe4 has a Phishing Security Test that is very effective in identifying high-risk employees. And utilize one of the open source phishing toolkits, like the Simple Phishing Toolkit, that have been created it to help companies educate employees about the dangers of phishing scams.
- Don’t be quick to send money, double-check phone numbers and email addresses, and make sure you can verify as much information as possible before doing anything even slightly risky. Also, make sure that you call them first. Better yet, call a known banker. Some companies even insist on a skype video call with the bank before transferring the money.
- A spoofed email address is also a red flag, so do not trust it. And hover over any web address link to see the full address.
- Wire requests that are email only can be a red flag, especially those that are urgent in nature. Refuse any email-only request.
- Start using powerful, multi-tiered verification systems to reduce the risk. If you get a wire transfer request by email, follow up by phone. If you get a wire transfer request by phone, follow up by email.
What to do if you’re a victim
- Get in touch with your bank right away and have them contact the financial institution where your money was transferred. After which, contact the FBI’s Internet Crime Complaint Center (IC3.gov) and lodge a complaint.
Wire and phishing scams are extremely expensive for businesses and, regardless of source, are becoming more prevalent.
Protect yourself with a multi-layer strategy. Check with your IT Support Professional to make sure that, in addition to simple end point anti-virus protection, you have robust email security, web traffic filtering, and unified threat management enabled on your firewall.
For more on cybersecurity, check out this Executive Street blog post outlining ways to protect yourself from cyberattack.