Scammers have bilked American companies out of $2.3bn from 17,642 victims since 2013, the FBI has warned, and the problem is going to get worse before it gets better.
Basically, the hustle works like this: miscreants pretending to be top bosses send emails to employees, particularly those handling sensitive financial information, asking for records. The staffers, tricked into thinking the messages are legit, hand over the data to the crooks, who then exploit the info to fill their pockets.
"The schemers go to great lengths to spoof company email or use social engineering to assume the identity of the CEO, a company attorney, or trusted vendor," a security alert from the FBI's Phoenix office warned this week.
"They research employees who manage money and use language specific to the company they are targeting, then they request a wire fraud transfer using dollar amounts that lend legitimacy."
Since January last year, the FBI has seen a 270 per cent rise in this kind of fraud, both within every state of the US and in 79 overseas countries. The average loss in an attack was between $25,000 and $75,000 per company but some are much, much higher.
At the start of 2016, Austrian engineering firm FACC Operations lost $54m in another case of suspected CEO fraud. Then Snapchat, then Seagate, then tech distie Arrow Inc, and so on. Such companies are a typical target, the FBI said, since fraudsters target firms that work with foreign companies and make overseas money transfers.
"In one variant of the attack, the scammer will register a domain name with a similar spelling to the target and establish an email service on the domain. They will then search online for the names of the executives in the finance department," said Tim McElwee, president of managed security firm Proficio.
"The attack begins with the attacker sending a targeted email to a manager from what looks like the CEO's or CFO's email using a variation of the domain name. If the manager responds, the attacker will stage a malicious funds transfer request after gathering information from the manager. The attacker will request that the manager perform a funds transfer to a bank account within a short period of time, using language they have phished from the email threads."
There are also cases of scammers impersonating supplier companies and issuing fake invoices to the CFO. Once funds are wired over, they are immediately moved on to other accounts to make backtracking the transaction difficult.
The FBI warned companies to install multi-factor authentication in their financial processes and to scrutinize communications involving financial business. Anyone who has been hit needs to inform both their bank and the FBI as soon as possible. ®