For more than a year, the I Internet Crime Complaint Center (IC3) is warning businesses to be on the lookout for growing scam that tricks them into paying invoices from established companies that look legitimate but in fact are fraudulent.
The FBI says the scam is a tweak of the timeworn "man-in-the-middle" scam and usually involves chief technology officers, chief financial officers, or comptrollers, receiving an e-mail via their business accounts purportedly from a vendor requesting a wire transfer to a designated bank account, the FBI said.
In the "man-in-the-e-mail" scam, e-mails are spoofed by adding, removing, or subtly changing characters in the e-mail address that make it difficult to identify the perpetrator's e-mail address from the legitimate address. The scheme is usually not detected until the company's internal fraud detections alert victims to the request or company executives talk to each other to verify the transfer was made.
Recently, the IC3 said it began receiving related complaints from companies that were alerted by their suppliers about spoofed e-mails received using the company's name to request quotes and/or orders for supplies and goods. These spoofed e-mails were sent to multiple suppliers at the same time. In some cases, the e-mails could be linked by IP address to the original business e-mail compromise scams. Because this latest twist is relatively new, the dollar loss has not been significant. Also, victim companies have a greater chance of discovering the scheme because the e-mails go to multiple suppliers that often follow-up with the company.
Based on analysis of the complaints, the scam appears to be Nigerian-based. Complaints filed contain little information about the perpetrators. However, subject information that was provided has linked to names, telephone numbers, IP addresses and bank accounts reported in previous complaints, which were tied over the years to traditional Nigerian scams, the IC3 stated.
In December the FBI's Seattle Division warned of a fraud victimizing Washington state-based businesses. In 2013, at least three area companies--in Bellevue, Tukwila, and Seattle--were led to believe they were sending money to an established supply partner in China. In reality, fraudsters intercepted legitimate e-mails between the purchasing and supply companies and then spoofed subsequent e-mails impersonating each company to the other. The fraudulent e-mails directed the purchasing companies to send payments to a new bank account because of a purported audit. The bank accounts belonged to the fraudsters, not the supply companies, the FBI stated.
Total loss experienced by the three area companies was roughly $1.65 million. The average dollar loss per victim is approximately $55,000, according to the IC3.
Some similarities found among the IC3 complaints include:
- Victims are generally from the United States, England and Canada, although there have been complaints from other countries such as Belgium.
- Victim businesses often trade internationally, usually through China.
- Victim businesses that conduct high-dollar wire transfers, so requests for larger monetary amounts are not uncommon.
- Most, but not all, victims receive the fraudulent e-mail request through AOL, Gmail, or Hotmail addresses. A few companies have reported scammers were able to access the company's internal server.
- Transactions were traced by the victim's fraud department to mainly banks in China or Hong Kong. However, transactions with banks in South Africa, Turkey and Japan were also reported.
The FBI offers suggestions on how businesses can avoid being taken by this e-mail fraud:
- Establish other communication channels, such as telephone calls, to verify significant transactions. Arrange this second-factor authentication early in the relationship and outside the e-mail environment to avoid interception by a hacker.
- Utilize digital signatures in e-mail accounts. Be aware that this will not work with web-based e-mail accounts, and some countries ban or limit the use of encryption.
- Avoid free, web-based e-mail. Establish a company website domain and use it to establish company e-mail accounts in lieu of free, web-based accounts.
- Do not use the "Reply" option to respond to any business e-mails. Instead, use the "Forward" option and either type in the correct e-mail address or select it from the e-mail address book to ensure the real e-mail address is used.
- Delete spam: Immediately delete unsolicited e-mail (spam) from unknown parties. Do not open spam e-mail, click on links in the e-mail, or open attachments.
- Beware of sudden changes in business practices. For example, if suddenly asked to contact a representative at their personal e-mail address when all previous official correspondence has been on a company e-mail, verify via other channels that you are still communicating with your legitimate business partner.