The FBI has reported a major increase in email related wire fraud. The security team at Lexpath was alerted by the Federal Bureau of Investigation that there has been a serious uptick in the number and sophistication of business email scams. The alert states that "schemers go to great lengths to spoof company e-mail or use social engineering to assume the identity of the CEO, a company attorney, or trusted vendor. They research employees who manage money and use language specific to the company they are targeting, then they request a wire transfer using dollar amounts that lend legitimacy."
How the Scams Work.
The scammers used a stolen credit card to register an Internet domain that is substantially similar to a company's actual domain name. The scammer merely adds an extra letter to the company's domain name, or otherwise subtly misspells the domain.
The scammer then sends emails to employees of the company pretending to be the firm's CEO, president, comptroller, partner, or owner using the similar looking domain name. The emails are specific and request that the targeted employee(s) pay an "urgent" invoice that is purportedly past due.
The scammer can also use a victim's actual e-mail account if the account credentials were compromised in a phishing attempt or if the person in authority was using a weak password.
The scammer can and will engage in a series of email conversations in the attempt -- asking for specific amounts of money to be wired to various accounts; asking that a new vendor account be established as part of the ruse; or state that he or she will provide additional details when the wire is ready to be sent. The fraudster will actually reply to messages impersonating the person in authority to request the wire transfer. The scammer may even produce fake invoices for the amounts purportedly due.
Tips to Avoid Becoming a Victim:
Be wary of e-mail-only wire transfer requests and requests involving urgency;
Pick up the phone and verify legitimate business partners.
Be cautious of mimicked e-mail addresses;
Follow or establish a multi-factor policy or procedure for paying invoices and sending wires, and stick to the established procedures;
Pause to think, question, and verify the legitimacy of requests for wire transfers.
We're happy to field calls or emails regarding suspicious emails or links. Following the advice above can make a difference. Combined with regular backups and a solid security infrastructure, you can significantly lower your risk and exposure to this and many other IT security threats. Please let us know if you need help communicating this information to your user base. If you have any questions, please do not hesitate to contact us at email@example.com or call (877) LEX-PATH.
I'm busy working on my blog posts. Watch this space!