The FBI’s Internet Crime Complaint Center (IC3) has issued a Public Service Announcement warning of “a sophisticated scam targeting businesses working with foreign suppliers and/or businesses that regularly perform wire transfer payments.”
The business email compromise (BEC), formerly known as the man-in-the-email scam, relates to fraudulent wire transfer payments sent to foreign banks.
Victims, who are usually US citizens, are unwittingly recruited as “money mules” as part of other scams. They receive money in their bank accounts and are then directed “to quickly transfer the funds using wire transfer services or another bank account, usually outside the US. Upon direction, mules may sometimes open business accounts for fake corporations both of which may be incorporated in the true name of the mule.”
The scam’s tactics are hardly new, but its success has been impressive: between October 2013 and December 2014, the IC3 received complaint data relating to victims from every US state and in 45 countries:
- Total US victims: 1,198
- Total US losses: $179,755,367.08
- Total non-US victims: 928
- Total non-US losses: $35,217,136.22
The FBI doesn’t know how victims are selected, but it does know that “the subjects monitor and study their selected victims prior to initiating the BEC scam. The subjects are able to accurately identify the individuals and protocol necessary to perform wire transfers within a specific business environment. Victims may also first receive “phishing” emails requesting additional details of the business or individual being targeted (name, travel dates, etc.). Some victims reported being a victim of various Scareware or Ransomware cyber intrusions, immediately preceding a BEC scam request.”
US organizations that want to ensure they don’t fall victim to this scam need to ensure that their staff are aware of security risks such as phishing attacks.
Staff awareness solutions
IT Governance’s Information Security & ISO 27001 Staff Awareness e-learning course will help your employees understand your organization’s information and compliance risks in line with ISO 27001 – the international standard for information security management – thereby reducing your vulnerability to security risks.
This course is targeted at anyone who is involved with processing information, uses information technology in their daily job, or who use the Internet as a means of conducting business. The course is not technical and is not meant for system administrators.
Organizations that want to implement an information security management system as set out in ISO 27001 should take advantage of IT Governance’s ISO 27001 Packaged Solutions.
Limited-time offer: order online in January 2015 and get 10% off the regular price. Click for more information >>