Remember the good old days when the primary phishing scam emails originated from Nigeria, incessantly trying to lure the remaining two percent of the adult population that weren’t yet familiar with their bank transfer scam? As IT administrators we would meet after work and amuse ourselves at the blaring misspellings and rampant grammatical errors in the emails. We would also quietly snicker at the naivety of their victims who could possibly fall for those amateurish ploys.
This fake invoice scam netted scammers a staggering $3million
Fast forward to April 30th, 2015 when the Mattel corporation fell victim to a $3 million phishing scam. The strike was brilliantly conceived and flawlessly executed. Last April was proving a tumultuous period for the world renowned manufacturer of Barbie Dolls due to the combination of poor international sales and the firing of the CEO. Amidst this turmoil a finance executive received a request from the email of the new chief executive officer requesting a routine funds transfer to a new vendor in China. Wanting to please the new boss, the executive issued the transfer to the Bank of Wenzhou, in China. Later that day as the executive spoke to the CEO in passing, he came to the realization that they had been scammed. Unfortunately, it was too late, the money was gone.
So how could the leadership of a major international corporation get scammed so easily? Phishing as a business, has matured and is now in the big leagues.The Mattel incident is just one incident in what is a growing threat to U.S. businesses, so much so that the FBI released a written statement outlining what they refer to as the “Business Email Scam” or “B.E.C.” . According to the statement:Law enforcement globally has received complaints from victims in every U.S. state and in at least 79 countries. From October 2013 through February 2016, law enforcement received reports from 17,642 victims. This amounted to more than $2.3 billion in losses
$215 million lost in CEO phishing scams alone
Of that $2.3 billion, $215 million was attributed to CEO phishing scams alone. The reason for this is simple. Phishing attackers today do their homework. They learn the culture and the leadership of the organization they are targeting. They know the email patterns, work processes and schedules of all the high level executives. The attackers then either capture or spoof the emails of the CEO or company president and implement the scam. Email spoofing is a common tactic used in phishing attacks. As an example, the majority of CEO phishing scams occur when the CEO is traveling better yet on vacation, making it more difficult to verify email requests such as the one which targeted Mattel.
Phishing attackers today do their homework today.
Another example of the manner and preparation that now goes into these Business Email Scams was the attack launched last year upon Bonnier Publications in Florida, which once again involved a Chinese bank. The scam involved two separate wire transfer requests involving $1.5 million each. What made this scam so effective was that it was launched on the first day of work for the newly hired CEO. Fortunately, the scam was discovered before the second transfer was
CEO Fraud a la Francais issued.
The most famous B.E.C incident in 2016 is the CEO Fraud a la Francais incident. In this case, the chief accountant of Etna Industrie was told in a series of phone calls and emails, which came under the CEO’s account, directed him to issue a series of wire transfers totaling half a million dollars in order to finance a company buyout which was happening quickly and under great duress so time was of the essence. Although wire transfers of nearly half a million dollars were sent, the bank issuing the transfers actually held up three of the transfers.
The amount of money being obtained in these B.E.C attacks is breathtaking and is the reason why they get the attention they do. Beyond the headlines however, it is clear that phishing is no longer a subject to joke about after work. Businesses need to be on their guard and ensure they have email security in place that can detect and block these scam emails before it reaches the employees.
If you work in payroll, human resources, or related areas beware of the potential dangers. If you receive an email requesting invoices to be paid , staff information, take the time to verify that the email is legitimate before complying
You may also be interested in this article on email spoofing, the tool often used by spammers to spread phishing campaigns - GO TO ARTICLE.