The Federal Bureau of Investigation sent a warning to U.S. businesses last year of a new type of business email compromise scam, a.k.a. CEO fraud, that takes aim at personally identifiable information, rather than simply tricking accounting staff into scheduling fraudulent wire transfers. IC3, the FBI’s Internet Crime Complaint Center, reports that last year it received slightly more than 12,000 complaints about CEO fraud attacks — email scams in which the attacker spoofs the boss and tricks an employee at the organization into wiring funds to the fraudster. Losses from CEO fraud (also known as the “business email compromise” or BEC scam) totaled more than $360 million.
ICUL has been made aware of a new twist to this scam which has affected two credit unions in Illinois. An email was sent to the Treasurer of one of the Illinois Chapters from an employee at another Credit Union in the Chapter asking for payment for a vendor invoice. Fortunately the recipient, the Chapter Treasurer, did the right thing and asked questions. Best practices for email requests asking for money is to make a phone call to the person who is supposedly sending the email.
Unlike traditional phishing scams, spoofed emails used in BEC, fraud schemes rarely set off spam traps because these are targeted phishing scams that are not mass e-mailed. It is unknown how victims are chosen. Fraudsters take the time to understand the target organization’s relationships, activities, interests and travel and/or purchasing plans.
They do this by scraping employee email addresses and other information from the target’s website to help make the communications more convincing. In the case where executives or employees have their inboxes compromised by the thieves, the fraudsters will search the victim’s email for certain key words like “invoice,” “deposit” and “president.”
Educating employees so that they are less likely to fall for these scams won’t block all social engineering attacks, but it should help. We have attached information for your use in educating your employees as well as a link to an article by Trend Micro which did a very good job of describing the different BEC schemes.
By: Mary Anne Colucci, LSC Director of Fraud & Risk