January 29, 2015 By Shane Schick 2 min read

A wire payment scam that has surfaced in 45 countries and led to an estimated loss of $215 million thus far has prompted law enforcement to issue a widespread warning about what is known as the Business Email Compromise.

Tricking Employees

According to an online statement from the Internet Crime Complaint Center (IC3) and the FBI, approximately 2,000 victims were affected by this problem within a two-month period last fall. The wire payment scam, aimed at both small and large businesses, involves cybercriminals posing as suppliers or business partners of a firm and asking via an email or telephone call to have funds transferred to a fraudulent account in order to process an invoice or other form of payment. In some cases, the IC3 said, cybercriminals send messages from what appear to be the email accounts of senior management to make the payment transfer request.

Part of the challenge, of course, is that the technology being used isn’t necessarily that sophisticated: It’s simply a matter of duping busy employees who may not immediately question a request to transfer funds, especially if it’s coming from their manager or CEO. As eWEEK reported, those behind the wire payment scam likely make their messages sound extremely important or even suggest the phony business partner or supplier is ready to sue unless a payment is made.

A story on Network World added that in many cases, the cybercriminals eschew email entirely and pose as angry agents from the IRS to demand some kind of tax payment be made. Since the money often winds up at financial institutions overseas, tracking down the stolen cash may require a significant degree of cooperation among police in various geographies.

Wire Payment Scam Nothing New

Of course, as Computer Business Review pointed out, there have been variations on fraudsters using technology to fool people into opening their wallets for years. These were once called Man-in-the-Email attacks, but authorities changed the name to Business Email Compromise to reflect the corporate direction the wire payment scam has taken. It makes sense on the part of criminals: Asking an organization for tens of thousands of dollars may seem more legitimate than what you could ask of a consumer victim.

In some cases, those behind the scheme are hacking directly into business networks in order to compromise employee emails and demand payment from their partners or suppliers, NDTV reported. The only recourse, apart from a good email gateway and traditional intrusion detection tools, will be to train employees to double-check requests for major fund transfers. Some legitimate payments may be slowed down in the process, but as this type of security issue intensifies, that may just become part of the cost of doing business.

More from

Change Healthcare discloses $22M ransomware payment

3 min read - UnitedHealth Group CEO Andrew Witty found himself answering questions in front of Congress on May 1 regarding the Change Healthcare ransomware attack that occurred in February. During the hearing, he admitted that his organization paid the attacker's ransomware request. It has been reported that the hacker organization BlackCat, also known as ALPHV, received a payment of $22 million via Bitcoin.Even though they made the ransomware payment, Witty shared that Change Healthcare did not get its data back. This is a…

Phishing kit trends and the top 10 spoofed brands of 2023

4 min read -  The 2024 IBM X-Force Threat Intelligence Index reported that phishing was one of the top initial access vectors observed last year, accounting for 30% of incidents. To carry out their phishing campaigns, attackers often use phishing kits: a collection of tools, resources and scripts that are designed and assembled to ease deployment. Each phishing kit deployment corresponds to a single phishing attack, and a kit could be redeployed many times during a phishing campaign. IBM X-Force has analyzed thousands of…

How I got started: AI security researcher

4 min read - For the enterprise, there’s no escape from deploying AI in some form. Careers focused on AI are proliferating, but one you may not be familiar with is AI security researcher. These AI specialists are cybersecurity professionals who focus on the unique vulnerabilities and threats that arise from the use of AI and machine learning (ML) systems. Their responsibilities vary, but key roles include identifying and analyzing potential security flaws in AI models and developing and testing methods malicious actors could…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today