Employees at Snapchat fell for it. So did major tech company Seagate Technology and heath care provider Magnolia Health Corporation too. Toy-maker Mattel lost $3 million in March alone and tech firm Ubiquiti lost a whopping $46.7 million in 2015 ... and it had nothing to do with being a bad business or poor sales.
All of these respectable companies had employees that were duped into coughing up sensitive information in what the FBI is calling B.E.C. scams (business email compromise), also known as CEO Fraud Scams. What is a B.E.C scam?
A B.E.C. scam is when an employee at a company receives an email, seemingly from the company CEO or someone in the payroll department. It's a quick email asking for, let's say, payroll information, or a quick money transfer.
The employee doesn't bat an eyelash, assuming the email is nothing out of the ordinary, responds, or clicks on a malicious link and all of a sudden sensitive information of the company and its employees is in the wrong hands.
It's a common problem that's getting larger by the day, and no company or person is safe. Just this week, we've received four of these scams in our work inboxes. See the examples below to get a better feel about how these emails are structured:
We obtained such documents from your bank, please view the attached documents.
Regional Executive Vice President
Ands here's an example from security researcher Brian Krebs:
Are you busy ? i need you to process a wire transfer for me today. Let me know when you are free so that i can send the beneficiary's details.
Did you spot all the red flags?
To make matters worse, the problem is quickly getting out of hand. In fact, since January alone, there has been a 270% increase in successful CEO fraud scams, with instances in every U.S. state and 79 other countries. In all, since October 2013, there have been a reported 17,642 victims with around $2.3 billion in losses.
Scammers are getting trickier by the day, so you'll have to stay one step ahead of them. One way to do this is to know the warning signs and red flags to look for before clicking on any links or sending out any sensitive information.
- Keep an eye out for typos and bad grammar
- Be able to identify where the email is coming from
- Hover your mouse over any links before you click to make sure they are pointing towards where they are supposed to.
For businesses however, the rules are a little bit different. The FBI wants you to:
- Be wary of email-only wire transfer requests and requests involving urgency
- Pick up the phone and verify legitimate business partners
- Be cautious of mimicked e-mail addresses
- Practice multi-level authentication.
If someone in your company falls for one of these scams, the FBI urges you to:
- Contact your financial institution immediately
- Request that they contact the financial institution where the fraudulent transfer was sent
- File a complaint—regardless of dollar loss—with the IC3.