Procurement 25 April 2016

Fraud lessons: The fake email that cost one business $737, 000

fake email
Phishing emails aren’t necessarily badly worded or obviously fraudulent
If you thought scam emails were easy to spot, think again. Tony Anscombe from AVG Business outlined the increasing sophistication of email wire transfer scams.

A company accountant received an email from her CEO who was on holiday. It asked for some funds to be transferred in relation to an acquisition which had to be completed by the end of the day. It also mentioned a lawyer would be in touch to give the accountant more detail, which would allow her to carry out the transaction.

As promised, the lawyer got in touch, emailing her what looked like the appropriate letter of authorisation. It had her CEO’s signature over the company’s seal. Everything about the email from her CEO and the lawyer looked and sounded legitimate, and transferring money for acquisitions was a normal part of her role. So she duly followed the instructions and wired more than $737, 000 to a bank in China. Trouble is, the CEO and lawyer’s emails were fake.

A different kind of phishing attack

The people in question were the victims of a subtle and sophisticated business email compromise? (BEC). This isnt one of those run-of-the-mill poorly worded phishing emails from someone claiming theyve won the Nigerian lottery and who wants you to help them transfer the money out of the country. A business email compromise is where cyber criminals impersonate executives, suppliers or employees over email and, typically, ask for a wire transfer to be made.

A global concern for all businesses large and small

This type of cybercrime, according to the FBI, has affected more than 8, 000 companies across the world and lost them billions of dollars in the last few years.

bEC is a serious threat on a global scale, said the FBI’s Maxwell Marker, who oversees the Bureau’s transnational organized crimeeastern hemisphere section in the criminal investigative division. it’s a prime example of organised crime groups engaging in large-scale, computer-enabled fraud, and the losses are staggering.

This scam isnt isolated to one particular size of company: it happens to micro, medium and large firms all over the world. A French accountant working for a firm employing only 50 people – recently wired 500, 000 (£350, 000) to fraudsters after receiving a series of fake emails and urgent phone calls from consultants and lawyers allegedly working for, or on behalf of, the company. In the UK, 749 businesses reported being victims of email fraud between January and June last year alone.

A new level of sophistication

BEC attacks are sophisticated and require a much greater level of skill and preparation than just sending off an email. Fraudsters monitor and infiltrate an organisation; they identify who is doing what, when, how and with whom.

Then they try to take control of a company’s email systems or intercept emails using malware – so they can pretend to be someone else: a finance director, accountant or the CEO, someone with the authority and ability to transfer money. They craft an email from them perhaps in reply to an existing email thread but this time with modified contents e.g. altered bank account numbers or a link to a different bank account.

Having learnt the phrasing and words used by the people they are impersonating, and the timing and amounts typically involved with their usual transactions or invoices, they know how to create something that will look and sound like a legitimate request.


Business Advice