The world’s enterprising cybercriminal population has found its newest weak link to exploit: corporate email systems. The new scam hotness entails getting small businesses to wire large sums of cash into false bank accounts.
Corporate account takeovers or business email fraud schemes are evolving into a big business. Between October 2013 and June 2015, companies lost over $1 billion via these methods, according to the FBI.
Though complaints have come in from around the world, the fraud efforts seem to be most tightly focused on the U.S. According to Patrick Fallon, a section chief in criminal investigation for the FBI, “organized crime groups from overseas and domestic-based actors” are typical perpetrators.
Fraudsters recently went after 25 Dallas companies, “with an attempted loss of over $100 million.” The emails appeared to be from high-level executives in the company being targeted, the FBI said in the advisory. A closer look would have revealed those emails came from a similar, but slightly different (and wrong) domain name. Another variation on this fraud sees criminals hijacking a corporate email system, grabbing a real message, altering it and allowing for a real payment to be diverted into their bank accounts.
Nacha, the industry-run group overseeing ACH transactions, “strongly advocates” that businesses “work together with their financial institutions to understand and use sound business practices to prevent and mitigate the risk of corporate account takeover.”
The limited good news here is banks can, in some instances, recover the funds by notifying the receiving bank that the incoming wire is an act of fraud. However, such “claw backs,” as WSJ calls them, must happen rather quickly, or they won’t happen at all.
“Once you reach beyond the 72-hour mark, it’s extremely difficult,” said Fallon.