FBI issues supplier scam warning to businesses

Agency PSA addresses business email compromise scams

fbi seal
Dave Newman (CC BY-SA 2.0)

The FBI's Internet Complaint Center (IC3) issued a warning last week about a type of scam that has exposed businesses to a total of $1.2 billion in losses, once the numbers from October 2013 until August 2015 are added up.

The scam is targeted at businesses that deal with international suppliers. Criminals will compromise legitimate email accounts through social engineering or other means, and request financial transfers form the victims.

Because the email accounts are legitimate (or at least they look legit), and the victim is often used to international payments, these scams are having a moderate to high degree of success.

"Most victims report using wire transfers as a common method of transferring funds for business purposes; however, some victims report using checks as a common method of payment. The fraudsters will use the method most commonly associated with their victim’s normal business practices," the PSA explained.

The FBI says there has been a 270 percent increase in the number of identified victims since January 2015.

Instances of supplier scams have been reported hitting all 50 states, as well as 79 other countries. While most of the scammed transfers have been reported going a number of different locations across the globe, the majority of the transfers are going to banks located in China and Hong Kong.

"Victims report being contacted by fraudsters, who typically identify themselves as lawyers or representatives of law firms and claim to be handling confidential or time-sensitive matters. This contact may be made via either phone or e-mail. Victims may be pressured by the fraudster to act quickly or secretly in handling the transfer of funds," the PSA adds.

In a vast number of cases, the victims will see these scams towards the end of a normal working day, or week. They may also arrive towards the end of the workday on an international level, where the timing is linked to the close of business at a foreign financial institution.

The notice offers suggestions that will help lower the severity of these scams, if not prevent them outright. Such tips include, registering all variations of the company name, which will prevent scammers from using typos or similar looking domains in Phishing attacks.

The PSA also recommends emails filters that will block all variations of a supplier's given domain, other than the legitimate one.

Another solid bit of advice is to implement two-factor authentication on transfers, such as phone verification via established numbers (not those included within the email) and having a second person within your organization sign-off on the transfer before it is made.

Copyright © 2015 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)