Email scammers have moved into the big leagues.
Everyone gets phishing emails—messages purportedly from a friend or relative but actually from a scammer—but rarely do they cost people hundreds of thousands of dollars. Now that some hackers are focusing their phishing attempts on corporations, however, the stakes are much higher.
Fraudulent wire transfers due to falsified information or stolen credentials cost businesses more than $1 billion in the year and a half from October 2013 to June 2015, according to the Wall Street Journal. Some of these schemes combine the basic phishing techniques affecting countless Internet users every day with the more devious methods deployed to steal sensitive data from major corporations.
“Once the thieves have your personal information, they can use it to open credit accounts, buy homes, claim tax refunds, and commit other types of fraud.”
The Federal Bureau of Investigation issued an alert in January about the Business Email Compromise, “a sophisticated scam targeting businesses working with foreign suppliers and/or businesses that regularly perform wire transfer payments.” The FBI said that almost 1,200 U.S. companies had fallen victim to the scheme between October 2013 and December 2014.
In one example, Crowdstrike, a cybersecurity firm, investigated a misdirected wire transfer from Mega Metals, Inc., that was supposed to go to a German company selling titanium shavings but instead went to an unknown third party.
Crowdstrike CEO George Kurtz told the Journal that the thieves put spyware on the computer of Mega Metals’ broker to steal the passwords necessary to fake a wire transfer.
The Journal also found instances of criminals modifying the routing information on real wire transfers to steal the money.
When private citizens use weak security to protect their email and bank accounts, they risk being robbed by criminals or hacked to facilitate what’s known as social engineering. The latter technique, in which hackers impersonate one victim to fool another, often achieves results through human error even when the second victim is using robust security methods. Some insurance companies, WSJ reported, are now offering fraud protection specifically for losses related to social engineering.
The Social Security Administration has warned recipients about a new scam in which “identity thieves pose as Government officials in an attempt to convince you to provide personal and financial information.”
“Once the thieves have your personal information,” the SSA’s inspector general said, “they can use it to open credit accounts, buy homes, claim tax refunds, and commit other types of fraud.”
If criminals impersonate a trusted third party convincingly enough, the consequences for individuals can be devastating. The consequences for corporations like construction firms—to say nothing of defense contractors or government agencies—can be far worse.
While large companies typically have the security budgets to accommodate robust protections—even if they aren’t always smart enough to deploy them—the criminals hijacking wire transfers have found small businesses to be riper targets.
“They don’t have the same budgets for security and investigations,” Brian Hussey, global director of incident response at cybersecurity company Trustwave Holdings, told the Journal.
The Business Email Compromise often targets open-source email clients that typically have weaker security than systems designed for corporate use, the FBI said in its January alert.
Among the markers of BEC scams was the fact that “fraudulent e-mails received have coincided with business travel dates for executives whose e-mails were spoofed.” That suggests a level of coordination beyond the blind phishing emails from Nigerian scammers to which most Internet users are accustomed.