A wire payment scam that has surfaced in 45 countries and led to an estimated loss of $215 million thus far has prompted law enforcement to issue a widespread warning about what is known as the Business Email Compromise.
According to an online statement from the Internet Crime Complaint Center (IC3) and the FBI, approximately 2,000 victims were affected by this problem within a two-month period last fall. The wire payment scam, aimed at both small and large businesses, involves cybercriminals posing as suppliers or business partners of a firm and asking via an email or telephone call to have funds transferred to a fraudulent account in order to process an invoice or other form of payment. In some cases, the IC3 said, cybercriminals send messages from what appear to be the email accounts of senior management to make the payment transfer request.
Part of the challenge, of course, is that the technology being used isn’t necessarily that sophisticated: It’s simply a matter of duping busy employees who may not immediately question a request to transfer funds, especially if it’s coming from their manager or CEO. As eWEEK reported, those behind the wire payment scam likely make their messages sound extremely important or even suggest the phony business partner or supplier is ready to sue unless a payment is made.
A story on Network World added that in many cases, the cybercriminals eschew email entirely and pose as angry agents from the IRS to demand some kind of tax payment be made. Since the money often winds up at financial institutions overseas, tracking down the stolen cash may require a significant degree of cooperation among police in various geographies.
Wire Payment Scam Nothing New
Of course, as Computer Business Review pointed out, there have been variations on fraudsters using technology to fool people into opening their wallets for years. These were once called Man-in-the-Email attacks, but authorities changed the name to Business Email Compromise to reflect the corporate direction the wire payment scam has taken. It makes sense on the part of criminals: Asking an organization for tens of thousands of dollars may seem more legitimate than what you could ask of a consumer victim.
In some cases, those behind the scheme are hacking directly into business networks in order to compromise employee emails and demand payment from their partners or suppliers, NDTV reported. The only recourse, apart from a good email gateway and traditional intrusion detection tools, will be to train employees to double-check requests for major fund transfers. Some legitimate payments may be slowed down in the process, but as this type of security issue intensifies, that may just become part of the cost of doing business.
Writer & Editor
Shane Schick is a contributor for SecurityIntelligence.