Your CEO sends you an urgent email that the company is acquiring another firm and funds need to be wired that day. But don’t tell anyone: It’s secret due to regulatory disclosure rules. An email or phone call arrives from a VP of finance whom you know confirming the transaction. As an employee authorized to wire funds, you initiate a payment for a few thousand—or even a few million dollars—to the designated bank account in China or Hong Kong. By the time the scam is uncovered, the money is gone.
It sounds implausible, but variations of this scenario play themselves out regularly across corporate America. Since October 2013, fraudsters have netted $2.3 billion through such scams, says IC3, the FBI’s business crime complaint unit. In a statement released this week, the FBI identified more than 17,000 victims in every US state and at least 79 countries. That’s a 270% increase in frauds compared to last year.
Among the most high profile frauds in US and Europe in recent years were:
|Company||Money defrauded in scam|
|The Scoular Company||$17.2 million|
|KPMG||$8.7 million (€7.6 million)|
|Medidata Solutions||$4.8 million|
|Michelin||$1.8 million (€1.6 million)|
The con is so common it even has a name: the CEO Email Scam. The details vary but the plot is the same, according to Brian Krebs, a former Washington Post reporter who now runs a security news website. Crooks will scrape employee email addresses (or break into email systems directly) and send fake emails requesting an urgent and secretive a wire transfer. The information usually appears credible and comes from a trusted source. Not every hack succeeds—banks are well aware of the ploy and flag some transactions before they finish—but enough of them do to make it an ongoing business.
These scams rarely set off spam or security alerts, Krebs says, because perpetrators carefully target attacks by studying employees relationships, activities, interests, and travel and purchasing plans.
Another reason they are so effective is that the attacks do an end-round around technical defenses. It’s really a psychological hack that exploits the routines and trust within an organization. All it takes is a little background research, the company roster, fake emails, and a charming voice on the other end of the phone line to get the ball rolling.
The scam is believed to have originated with a charismatic French-Israeli identity thief named Gilbert Chikli. According to the Associated Press, his first heist involved convincing an employee of a French bank to cooperate with “a top-secret terrorism investigation” and deliver a bag full of 358,000 euros ($398,000) to a restroom stall in a Parisian cafe. After seeing the ease of convincing credulous employees, he proceeded to defraud French companies of more than 6.1 million euros ($7 million) from France before fleeing the country (he will soon be the subject of the feature film “Thank You for Calling”).
The popularity of the scam is exploding. Lax money laundering laws in China, and plenty of easy targets in the US, means we’ve probably only seen the beginning. The FBI tips for companies—avoid free web-based e-mail; monitor what information is posted about job duties and hierarchies; check recipient’s e-mail address—appear unlikely to turn the tide.
“It will spread because it’s too good to be ignored,” Jerome Robert from French cybersecurity company Lexsi told the BBC. “[Criminals] can make so much money in a very small amount of time, with minimal risk.”