The FBI has issued a stark warning that cybercriminals are increasingly targeting businesses through email scams that impersonate senior executives and which have cost U.S. companies an estimated $2.3 billion in less than two and a half years.
Between October 2013 and February of this year, the FBI received reports from 17,642 victims of what it calls “business email compromise” scams, where employees are tricked into transferring large sums of money to people posing as the CEO of the company.
The FBI warned that law enforcement agencies around the globe have received complaints from victims in every single U.S. state and that the problem is getting even worse. “Since January 2015, the FBI says it has seen a 270 percent increase in identified victims and exposed loss,” the alert posted by the FBI’s Phoenix bureau said.
The FBI said the companies that have been hit by these scams range from “large corporations to tech companies to small businesses to nonprofit organizations,” and in many cases the fraud targets businesses working with foreign suppliers or who regularly perform wire transfer payments.
There have been several high-profile examples of these scams, including the revelation last month that toy maker Mattel was scammed out of $3 million in 2015 due to a CEO email scam. That, however, pales in comparison to the case of tech firm Ubiquiti, which disclosed in a financial report that it suffered a huge $46.7 million loss because of a CEO fraud scam.
The FBI’s alert said scams in Arizona typically cost companies between $25,000 and $75,000, but one recent study suggests the average cost of a successful spear-phishing campaign is $1.6 million.
Security company Proofpoint recently published research into one of the groups carrying out these type of attacks who had sent a third of a million personalized messages to recipients in U.S., U.K. and Australian organizations. The group scoured the internet to find info on employees, including email addresses, phone numbers and job titles, details that are freely available on sites like LinkedIn.
The phishing scams typically follow a pattern. Rather than spamming all employees with the same generic email, which would be more easily spotted by email filters, the attackers take time to understand the company they are targeting before sending highly tailored emails to specific employees they know have the ability to transfer money or pay invoices.
The attackers spoof the email of the CEO, CFO or other high-level executive by either compromising their real email account or creating an account that looks almost identical to the real one. For instance, if the CEO’s email is “email@example.com” the attackers could create an email address where the “l” is replaced with a capital “i” to make it look identical — “jane@exampIe.com.”
“[The attackers] research employees who manage money and use language specific to the company they are targeting, then they request a wire transfer using dollar amounts that lend legitimacy,” the FBI said.
To counteract these scams, the FBI said, employees should pick up the phone to verify any transfers or payments and where possible to practice multilevel authentication. The problem for companies is that these highly tailored emails are not picked up by any traditional security measures a company may have in place, and the only person who can prevent the scams from happening are the employees themselves.
“CEO fraud attacks succeed because they rely almost entirely on tricking employees into ignoring or sidestepping some very basic security precautions,” security researcher and blogger Brian Krebs said in a blog post. “Educating employees so that they are less likely to fall for these scams won’t block all social engineering attacks, but it should help.”