The Federal Bureau of Investigations (FBI) put out a pair of warnings (1, 2) in recent weeks regarding a fraud scheme that involves email, wire transfers, checks, and international business. The target of these schemes are businesses that work with foreign suppliers and those that perform wire transfer payments.
The warnings state that since January, the number of victims has nearly tripled, at an increase of 270 percent. Victims have been reported in all 50 U.S. states and across 79 different countries. More than 8,000 victims and $800 million in losses later, the report dives into how social engineering and phishing have been the point of attack. Once the target is compromised (potentially you), the attacker conducts unauthorized transfers of funds, typically stealing through wire transfers. Once the international law enforcement reports are tallied into the figure, the losses total more than $1.2 billion. One of the biggest hauls on record comes from the networking company known as Ubiquiti Networks, which reports that cyber thieves stole $46.7 million with this scam.
Common methods, direct targets
The culprit here in most cases is phishing, and more specifically, spearphishing. The intended victim will receive a link with a malicious payload in their email, which will appear to come from a valid source. Once the victim clicks the link the malware is installed. Next thing you know, usernames, passwords, financial information, etc. is all theirs. The bottom line: If you work in international business, and you wire transactions, you might be a target.
The FBI prescribes awareness and detection, as well as a few common sense things to avoid being a victim.
Possible ways to protect yourself, or your business:
- Create intrusion detection system rules that flag emails with extensions that are similar to company email. For example, legitimate email of abc_company.com would flag fraudulent email of abc-company.com.
- Register all company domains that are slightly different than the actual company domain.
- Verify changes in vendor payment location by adding additional two-factor authentication such as having a secondary sign- off by company personnel.
- Confirm requests for transfers of funds. When using phone verification as part of the two-factor authentication, use previously known numbers, not the numbers provided in the email request.
- Know the habits of your customers, including the details of, reasons behind, and amount of payments.
- Carefully scrutinize all email requests for transfer of funds to determine if the requests are out of the ordinary.
There’s a lot you can do on an individual basis along these same lines. Use two-factor authentication, change your passwords up verify all transactions, check all email links, and other tips could help you avoid losing $46.7 million.
