FBI: Business Phishing Attacks Net Cyber Thieves $3.1 Billion
Phishing attacks against companies have soared dramatically over the past 18 months, and losses have climbed into the billions, according to an FBI advisory issued this week.
10 Stupid Moves That Threaten Your Company's Security
(Click image for larger view and slideshow.)
FBI officials issued an alert this week that phishing attacks targeted at businesses worldwide have soared to a $3.1 billion scam in the past 18 months. A new technique employing data theft has been put into play since this latest tax season.
Specifically, the FBI focused on business email compromise (BEC) scams as the root cause of this increase. According to the bureau's June 14 alert:
The BEC scam continues to grow, evolve, and target businesses of all sizes. Since January of 2015, there has been a 1,300% increase in identified exposed losses. The scam has been reported by victims in all 50 states and in 100 countries. Reports indicate that fraudulent transfers have been sent to 79 countries with the majority going to Asian banks located within China and Hong Kong.
Cyber-criminals are spending time studying and monitoring their potential victims to get to know them before launching the scam, learning to accurately identify them and protocols needed to conduct wire transfers from their specific company or business environment to the would be cyber thieves.
Armed with this knowledge, cyber-criminals go to work in a targeted fashion, specifically by impersonating the CEO or some other high-level executive at the company to extract money or additional information that could lead to financial gain down the line, according to the bureau.
The FBI advisory noted there are five scenarios that cyber-attackers use in these BEC scams, of which one is relatively new. It emerged with this year's tax season.
Under this new scenario, the attackers request either wage or tax statement information, like W-2s, or a company list of Personally Identifiable Information (PII). The employees who cyber-criminals request these items from typically work in human resources, bookkeeping, or the auditing departments.
In one of the other four business email scams, the con artist dupes a foreign supplier through email, a fax, or a phone call, into wiring an invoice payment to a bogus account.
A second scam requires the hijacking of a company executive's email account and sending a request to an employee who normally processes wire transfers, asking that funds be wired to bank X, which the attacker can access.
A third scam involves hacking an employee's personal email account and using it to send invoice payment requests to various vendors that the company uses. The funds are then deposited into the cyber thieves' bank account.
Finally, the FBI notes a scam involving a cyber-criminal who poses as an attorney in an email or a phone call and claims to be handling a time-sensitive or confidential matter. The cyber-criminal pressures the employee to transfer funds into a bogus account.
The FBI suggests victims notify the agency and file a complaint, regardless of the size of the loss.
Dawn Kawamoto is an Associate Editor for Dark Reading, where she covers cybersecurity news and trends. She is an award-winning journalist who has written and edited technology, management, leadership, career, finance, and innovation stories for such publications as CNET's ... View Full Bio
How Enterprises Are Attacking the IT Security EnterpriseTo learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
IT Strategies to Conquer the CloudChances are your organization is adopting cloud computing in one way or another -- or in multiple ways. Understanding the skills you need and how cloud affects IT operations and networking will help you adapt.