It’s much easier to steal $1 million from one person than $1 from a million people, so naturally that’s where identity thieves have taken their “industry.” Small-dollar credit card fraud is old, tricking corporations into wiring millions of dollars overseas is in.
At the root of the latest scariest trend in identity fraud is a new twist on an old scam routine: impersonation. But in this con criminals aren’t impersonating a teenager in trouble to trick Grandma into wiring $1,000. They are impersonating executives with urgent requests to pay multi-million-dollar invoices. The scam works because employees naturally want to please their boss.
How the Scam Works
“Glen, I have assigned you to manage file T521,” read one such message sent by a scammer impersonating an executive. It was provided by the American Institute of Certified Public Accountants (AICPA) in a recent report on this kind of fraud.
“This is a strictly confidential financial operation, which takes priority over other tasks,” the message continued. “Have you already been contacted by [name of person and company]? This is very sensitive, so please only communicate with me through this email, in order for us not to infringe SEC regulations. Please do not speak with anyone by email or phone regarding this.”
Thirty minutes later, the “executive” convinced the employee to make an upfront payment toward an acquisition in China. “Glen” wired $480,000, and didn’t become suspicious until the “boss” asked for a second payment worth millions.
In professional circles, the crime goes by the pedantic name “business email compromise,” but there’s nothing bland about the trend. Reports of the crime to the FBI’s Internet Crime Complaint Center have soared — from 1,198 incidents during 2013 to a total of almost 16,000 in the FBI’s most recent report in 2014. Worse yet, losses have grown 1,300% since January 2015, to almost $1 billion.
Individual firms have been hit hard. One technology company reported in an SEC filing last year that it had been hit by a con that led to “transfers of funds aggregating $46.7 million.”
In its report, the AICPA said the scam is so successful because criminals do a lot of legwork to prepare.
“Cybercriminals conduct extensive research online to mimic a company’s email protocols, design and structure. They monitor social networks to target employees who have a working relationship with the senior executive attributed to the fake email,” the report said. “It’s all meant to be plausible enough to persuade the employee to be responsive to the senior executive’s request and to bypass the controls associated with a wire transfer.”
Other elements that make the crime work so well, according to the report:
The email address is substantially similar to the purported sender’s address, with very minor, subtle differences. The email display name may appear correct, but when the cursor hovers over the email address, a different underlying address is displayed. For example, if the actual address is CEO@victimco.com, the impersonator address might be CEO@vicitmco.com. (Note the misspelled domain.)
Requests occur when the executive is traveling and cannot be contacted.
There is an element of urgency or secrecy regarding the disbursement.
The amount is within the normal range of transactions so as not to arouse suspicion.
Other employees are referred to or copied in the email, however, their email addresses are also modified.
Executive ID theft can take two main forms, the report says. In the first, an employee receives a rather panicky email from a supervisor saying a transaction must be ordered immediately to complete some kind of secret business deal. In the second form, dubbed “strong-armed vendor request,” a criminal pretends to be a vendor with an outstanding invoice — often based on a real invoice. The criminal then asks the payment be redirected to an account they control.
“The fraudulent email contains a PDF file of an invoice that appears to be from the trusted supplier, and the email text and header information appear to contain the hallmarks of an actual business communication from the supplier,” the report said.
At its core, business email compromise is the same old internet scam: There’s the usual time pressure technique, designed to confuse targets so they drop their guard, and the usual irrevocable payment method, such as a wire transfer.
“This sophisticated type of cyberattack is stealing millions of dollars from companies in a manner that should be particularly concerning to company stakeholders because it persuades employees to ignore internal controls,” said Annette Stalker, owner of Stalker Forensics and chair of the AICPA’s Forensic and Litigation Services Committee. “Executive impersonation bypasses the security systems that company IT departments have put in place to neutralize cyberattacks by going where companies and their employees are most vulnerable: their email systems.”
How to Protect Yourself
The time-tested internet fraud advice still holds true: If you ever feel unusual pressure from someone to make any kind of payment, back away from the computer and take a stroll around the block. Hit the pause button. Nearly all scams would fail if victims didn’t bow to time pressure that criminals utilize as their tool of choice. And stick to procedure when making payments, be they $10 credit card transactions to buy a pair of winter gloves or $10 million payments to overseas vendors. Don’t let someone talk you into doing an end-around — such as a one-time wire transfer to a new account — when you are dealing with money. Pauses and procedures are your best fraud-fighting tools.
If you do fall victim to a scam and your personal information is compromised, be sure to keep an eye on your credit, as this can indicate possible fraud. A sudden drop in credit scores, for instance, is a big sign that your identity has been stolen as are mysterious credit inquiries on your credit report. You can view a free snapshot of your credit report, updated every 14 days, on Credit.com.
This article originally appeared on Credit.com and was written by Bob Sullivan.