The FBI warned again Monday about the dangers of “business email compromise.” A posting on its Phoenix bureau website says known losses from these scams exceeded $2.3 billion from October 2013 through February this year. The Bureau has documented cases involving 17,642 businesses of all sizes in 79 countries around the world. The average loss in Arizona was $25 to $75 thousand. My personal experience in Indiana has usually involved cases above the high end.
This post is about protecting your cash, but the same schemes are used to get information like Wall Street law firm files on pending transactions to use for insider trading. The scam is also called “spear phishing,” a more pointed and dangerous form of phishing.
The steps in the scam follow a simple pattern. First, the hackers get access to a personal email account and read your emails. Second, they set up an email account with an address so similar that people don’t notice the slight difference between it and your real account.
If I’m the target, they might open a “firstname.lastname@example.org” account which looks like “email@example.com.” Try reading them at a glance in 8pt. Arial font on the From line.
Last, they email someone I correspond with who handles accounting at my firm. They have a good idea who that is because they invest the time to read my email traffic. The phony email says an amount of money must be transferred urgently to a person outside the firm I also correspond with, and gives wire transfer instructions. If questions are fired back, the hacker will give fast responses and stress the urgency of the transfer.
People believing they are doing their job authorize wire transfers to thieves every minute of the day because they think they know who is requesting the transfer and where it is going. The transfer is actually going to make three or more jumps to different financial institutions before heading to its ultimate destination. That could be in the United States or outside. If the money stays in the US, it will go to an account opened for the scam with false credentials, it will be withdrawn immediately, and the account abandoned.
You can and should train everyone in your organization on how to spot incoming scams. There are software solutions you may have in place to identify and hold suspicious emails until released. But people get tired or distracted and the software is only as good as the person deciding what emails to let through.
The one foolproof defense is a simple rule: always call the person requesting the transfer. You can already hear the conversation. “I’m calling about that wire transfer to Ms. Jones.” “What wire transfer?” And your funds will stay where they belong every time.