Procurement 25 April 2016

Fraud lessons: The fake email that cost one business $737,000

fake email
Phishing emails aren’t necessarily badly worded or obviously fraudulent

If you thought scam emails were easy to spot, think again. Tony Anscombe from AVG Business outlined the increasing sophistication of email wire transfer scams.

A company accountant received an email from her CEO who was on holiday. It asked for some funds to be transferred in relation to an acquisition which had to be completed by the end of the day. It also mentioned a lawyer would be in touch to give the accountant more detail, which would allow her to carry out the transaction.

As promised, the lawyer got in touch, emailing her what looked like the appropriate letter of authorisation. It had her CEO’s signature over the company’s seal. Everything about the email from her CEO and the lawyer looked and sounded legitimate, and transferring money for acquisitions was a normal part of her role. So she duly followed the instructions and wired more than $737,000 to a bank in China. Trouble is, the CEO and lawyer’s emails were fake.

A different kind of phishing attack

The people in question were the victims of a subtle and sophisticated “business email compromise” (BEC). This isn’t one of those run-of-the-mill poorly worded phishing emails from someone claiming they’ve won the Nigerian lottery and who wants you to help them transfer the money out of the country. A business email compromise is where cyber criminals impersonate executives, suppliers or employees over email and, typically, ask for a wire transfer to be made.

A global concern for all businesses large and small

This type of cybercrime, according to the FBI, has affected more than 8,000 companies across the world and lost them billions of dollars in the last few years.

“BEC is a serious threat on a global scale,” said the FBI’s Maxwell Marker, who oversees the Bureau’s transnational organized crime–eastern hemisphere section in the criminal investigative division. “It’s a prime example of organised crime groups engaging in large-scale, computer-enabled fraud, and the losses are staggering.”

This scam isn’t isolated to one particular size of company: it happens to micro, medium and large firms all over the world. A French accountant – working for a firm employing only 50 people – recently wired €500,000 (£350,000) to fraudsters after receiving a series of fake emails and urgent phone calls from consultants and lawyers allegedly working for, or on behalf of, the company. In the UK, 749 businesses reported being victims of email fraud between January and June last year alone.

A new level of sophistication

BEC attacks are sophisticated and require a much greater level of skill and preparation than just sending off an email. Fraudsters monitor and infiltrate an organisation; they identify who is doing what, when, how and with whom.

Then they try to take control of a company’s email systems or intercept emails – using malware – so they can pretend to be someone else: a finance director, accountant or the CEO, someone with the authority and ability to transfer money. They craft an email from them – perhaps in reply to an existing email thread – but this time with modified contents e.g. altered bank account numbers or a link to a different bank account.

Having learnt the phrasing and words used by the people they are impersonating, and the timing and amounts typically involved with their usual transactions or invoices, they know how to create something that will look and sound like a legitimate request.

Invoice fraud

Another variation is to refer to a real invoice in the fake email, rather than a new transaction. Scammers – impersonating a supplier for instance – suggest that their bank account details have changed and payment should now be made to a new account.

The difference in account numbers might only be one or two numbers but it’s effective enough to fool a lot of people, especially if the email looks genuine and nothing else about it gives you cause for concern.

That’s why it’s essential to double check all invoice payment amounts – especially ones for tens or hundreds of thousands – and the details of the target accounts, but do so using your normal method of contact. Don’t reply to the email thread, pick up the phone and ask to speak to your usual point of contact instead. It could save you thousands.

Tony Anscombe is a senior security evangelist for AVG Business, a worldwide provider of security solutions.

Don’t miss our tips for avoiding phishing attacks.

Sign up to our newsletter to get the latest from Business Advice.


Business development