FBI report: CEO email scams on the rise

In a world increasingly dependent on the internet and technology, email scams and other methods of attack have become a real threat to businesses. Due to the growing ubiquity of online banking and e-commerce, the internet is a better platform than ever for running a scam — and this has gotten so dangerous that parts of the U.S. government have had to speak out against it.

Ahead of Trends

The FBI And email scams

The B.E.C. (business email compromise) scam has become more popular than ever. With this form of scamming, the scammers disguise themselves as trusted employees/partners by spoofing company email addresses or pretending to be someone they’re not, like a business partner. This can happen to any business of any size, but often the businesses that deal with foreign suppliers or regularly wire their payments are the ones targeted.

The FBI reports that from October 2013 to February 2016, more than 17,500 businesses have been victimized by email spoofing, totaling more than $2.3 billion in total losses. According to this report,  since January of last year the scam has increased by 270%. But this isn’t the only big scam happening to businesses in the United States and beyond.

The IRS and phone/email scams

In February 2016, the IRS was forced to release a notice on phone scams. As tax season approached, scammers would approach their potential victims by sending false tax bills; use robot calls to harass them, or even take the email route.

The usual method was being called on the phone and suddenly being told that you would be arrested or taken to court if you didn’t pay right away. Due to a general wariness of the government and a lack of knowledge on how these big parts of it work, many people just listened to these threats and paid up so they would stop being harassed, not knowing the IRS wasn’t behind it at all.

Email spoofing doesn’t just happen when scammers are impersonating your boss or a business partner. They can happen with government agencies, too. This kind of behavior is called phishing.

What Is phishing?

In short, phishing happens when scammers are impersonating a business, institution or person in order to acquire personal information or money from their victims. Phishing can be done fairly subtly, too — emails sent from official-looking addresses that lead to fake login pages are common on the Internet, though most web mail services keep a close eye on behavior like this.

In the case of the IRS scams, phishers were impersonating a large, scary government agency in order to force money out of people. Since people fold under pressure, it worked! What these people didn’t know is that the IRS doesn’t call people to demand payment, doesn’t jump to arrests for not paying (though this can be a legal matter if it’s gone on for many years), and absolutely doesn’t demand personal information over the phone. All of these behaviors are red flags coming from anyone, not just a “government agency”.

Wire transfer issues

The problems with wire transfers are very serious — involving payments that could amount to thousands, if not millions of dollars in just a single transaction. Email scammers use what is referred to as social engineering — as well as software that is able to identify emails that talk about wire transfers. They also know when a CEO is away from the office and which employees handle the company’s finances — details that, if obtained by cyber criminals, can be very dangerous and can leave a company in a difficult and costly situation.

What these schemers do is intercept the confirming email and then change the wiring information en route so that the recipient receives an email with different wiring instructions — with the sender and receiver fully unaware that the email has been tampered with. They also use language that is specific to their targeted company, which could make it difficult for employees to detect that they received a spoofed email. This is a whole new level of cyber-crime and businesses should take stronger security measures against these attacks.

6 ways to protect yourself

  1. Have your IT staff configure your email settings so that bogus emails are blocked and do not reach the inbox.
  2. Find out which of your employees are phish-prone: KnowBe4 has a Phishing Security Test that is very effective in identifying high-risk employees. And utilize one of the open source phishing toolkits, like the Simple Phishing Toolkit, that have been created it to help companies educate employees about the dangers of phishing scams.
  3. Don’t be quick to send money, double-check phone numbers and email addresses, and make sure you can verify as much information as possible before doing anything even slightly risky. Also, make sure that you call them first. Better yet, call a known banker. Some companies even insist on a skype video call with the bank before transferring the money.
  4. A spoofed email address is also a red flag, so do not trust it. And hover over any web address link to see the full address.
  5. Wire requests that are email only can be a red flag, especially those that are urgent in nature. Refuse any email-only request.
  6. Start using powerful, multi-tiered verification systems to reduce the risk. If you get a wire transfer request by email, follow up by phone. If you get a wire transfer request by phone, follow up by email.

What to do if you’re a victim

  • Get in touch with your bank right away and have them contact the financial institution where your money was transferred. After which, contact the FBI’s Internet Crime Complaint Center (IC3.gov) and lodge a complaint.

Wire and phishing scams are extremely expensive for businesses and, regardless of source, are becoming more prevalent.

Protect yourself with a multi-layer strategy. Check with your IT Support Professional to make sure that, in addition to simple end point anti-virus protection, you have robust email security, web traffic filtering, and unified threat management enabled on your firewall.


For more on cybersecurity, check out this Executive Street blog post outlining ways to protect yourself from cyberattack.


Print Friendly, PDF & Email

Leave a Reply

Your email address will not be published. Required fields are marked *

Predefined Skins

Primary Color

Background Color

Example Patterns

demo demo demo demo demo demo demo demo demo demo

Privacy Policy Settings

  • Required Cookies
  • Performance Cookies
  • Functional Cookies
  • Advertising Cookies
These cookies are essential in order to enable you to move around the Sites and use its features, such as accessing secure areas of the Sites and using Vistage’s Services. Since these cookies are essential to operate Vistage’s Sites and Services, there is no option to opt out of these cookies.
These cookies collect information about how visitors our Sites, for instance which pages visitors go to most often. These cookies don’t collect information that identifies a visitor. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.

Cookies used

Visual Web Optimizer
These cookies remember information you have entered or choices you make (e.g. as your username, language, or your region), and provide enhanced, more personal features. They may also be used to provide services you have asked for such as watching a video or commenting on a blog. They may be set by us or by third party providers whose services we have added to our pages. If you do not allow these cookies then some or all of these services may not function properly.

Cookies used

Google Analytics
Gravity Forms
These cookies are used to make advertising more relevant to you and your interests. The cookies are usually placed by third party advertising networks. They remember the websites you visit and that information is shared with other parties such as advertisers. If you do not allow these cookies, you will experience less targeted advertising.