Last week the FBI published a warning of the dramatic increases in business email compromise scams. In this post i will share what a business email compromise scam looks like and details from the latest FBI press release.
What is a Business Email Compromise Scam?
In short, it is a low tech way of exploiting key employees in your company and misleading them, based on a cock and bull story, to wire payments to a scammers bank account.
- Low tech – while malware may be used to hack into emails, other low tech methods include monitoring employees social media profiles to understand their roles in an organisation, knowing the travel plans of important people at your company, having an understanding of regular suppliers and the company’s purchasing trends are all noteworthy
- Key employees – the targets need to have the ability to initiate wire transfer payments at your company
- Misleading – using the gathered information the scammer will constitute a seemingly plausible story, and ask for speed and secrecy in the processing of the payment
For further details read my earlier post CEO Fraud or Business Email Compromise EXPLAINED!
Is the Business Email Compromise Scam a big deal?
Yeah, its huge! The FBI press release indicates:
- Between October 2013 and February 2016 there were 17,642 business email compromise scam victims globally
- The losses are believed to be in excess of $2.3 billion
- Since January 2015, there has been a 270% increase in identified victims and exposed losses
- Victims across all US states and at least 79 countries
And note that these figures are based on the business email compromise scams that have been reported and that we know about. Some may not have realised that they have fallen victim to the scam and may not want to report it.
What kinds of companies fall victim to Business Email Compromise?
All companies are potential targets, so the important lesson here is to be aware. The following lists some recent high profile cases:
- Mattel employee wired $3 million to a bank in China
- Ubiquiti reported a $46.7 million cyber theft
- KPMG lost €7.6 million to business email compromise scam
- Michelin wired €1.6 million to scammers
Business Email Compromise – The French Connection
The Associate Press report how the business email compromise scam or CEO fraud is largely attributed to an French-Israeli man, Gilbert Chikli. Gilbert Chikli started the CEO scam in 2005 referring to the simplicity of the scam – “its the power of persuasion”. Gilbert Chikli has stolen money from some big corporates in France including Accenture, Disney, the Post Office, HSBC and American Express. One of Gilbert Chikli first exploits was to make up an anti-terrorism operation story, and trick a bank director to hand over a bag stuffed with $398,000 cash in the toilet of a Paris cafe ! Gilbert is thought to have attempted to steal over €70 million!!!! He is currently a wanted man in France, living in Israel.
Some of Gilbert Chikli’s escapades are so unbelievable you could make a film about him and his exploits. In fact, a film is being made – Thank You For Calling!
Business Email Compromise – The Chinese Connection
An Associated Press investigation reports that a lot of the scammers are using Chinese bank accounts. According to the AP over 90% of the stolen funds from business email compromise scams in Europe end up in Wenzhou, China. From Wenzhou the stolen money is sent to wherever the fraudsters require.
Gilbert Chikli opemly talks about how 90% of his money was laundered through China and Hong Kong.
Business Email Compromise – Don’t be a Victim
The FBI suggest the following:
- Verify any changes in vendor payment details
- Confirm any vendor requests for transfer
- Beware of free web-based email accounts
- Beware of any financial, travel, personal information that is shared on social networks, and company websites
- Beware of any payment requests that require secrecy or require you to act quickly
- Introduce a 2 step verification and approval process for all high value payments, and ensure the controls are adhered to
- Introduce checks that verify email addresses and highlight where the email address is different to your company email address
- Beware of any changes to your customer/supplier habits, and if suspicious check with them
- Krebs on Security – FBI: $2.3 Billion Lost to CEO Email Scams
- Quartz – Credulous employees have wired $2.3 billion in company funds to criminals, says FBI
- FT – Cyber crime: How companies are hit by email scams
- BBC – The ‘bogus boss’ email scam costing firms millions
- Telegraph – ‘Fake Franco-Israeli spy’ sentenced to seven years in prison for conning banks