FBI warns of surge in wire-transfer fraud via spoofed emails

May 6, 2017 - 11:55 AM
4255
A computer keyboard is seen in this picture illustration taken in Bordeaux, Southwestern France, August 22, 2016. REUTERS/Regis Duvignau

Attempts at cyber wire fraud globally, via emails purporting to be from trusted business associates, surged in the last seven months of 2016, the U.S. Federal Bureau of Investigation said in a warning to businesses.

Fraudsters sought to steal $5.3 billion through schemes known as business email compromise from October 2013 through December, the FBI said in a report released Thursday by its Internet Crime Complaint Center.

The figure is up sharply from the FBI’s previous report which said thieves attempted to steal $3.1 billion from October 2013 through May 2016, according to a survey of cases from law enforcement agencies around the world.

The number of business-email compromise cases, in which cyber criminals request wire transfers in emails that look like they are from senior corporate executives or business suppliers who regularly request payments, almost doubled from May to December of last year, rising to 40,203 from 22,143, the FBI said.

The survey does not track how much money was actually lost to criminals.

Robert Holmes, who studies business email compromise for security firm Proofpoint Inc (PFPT.O), estimated the incidents collated by the FBI represent just 20 percent of the total, and that total actual losses could be as much as double the figures reported by the FBI.

The losses are growing as scammers become more sophisticated, delving deeper into corporate finance departments to find susceptible targets, he said.

“This is not a volume play; it’s a carefully researched play,” he said.

The United States is by far the biggest target market, though fraudsters have started to expand in other developed countries, including Australia, Britain, France and Germany, Holmes said.

The FBI has said that about one in four U.S. victims respond by wiring money to fraudsters. In some of those cases, authorities have been able to identify the crimes in time to help victims recover the funds from banks before the criminals pulled them out of the system.

The U.S. Department of Justice said in March that it had charged a Lithuanian man with orchestrating a fraudulent email scheme that had tricked agents and employees of two U.S.-based internet companies into wiring more than $100 million to overseas bank accounts.

Fraudsters have also used spoofed emails to trick corporate workers into releasing sensitive data, including wage and tax reports, according to the advisory.