FBI: Beware fake CEO emails that have cost businesses $2.3bn

Financial controllers have been tricked into giving away $2.3bn to CEO email fraudsters in just two and half years.
Written by Liam Tung, Contributing Writer

Beware of unexpected emails from the CEO asking for fund transfers.

The FBI is warning businesses to be extra cautious of fake CEO email requests for wire transfers after a massive rise in victims over the past year.

The FBI says it has seen a 270 percent increase in identified victims of so-called 'business email compromise' since January 2015.

This usually involves spoofing the email account of a senior exec, such as the CEO of a company, and tricking a financial officer to wire funds to an overseas bank account, often purported to be that of a trusted vendor. The FBI has previously warned the attackers carefully study their targets' business habits and usually pick companies that have international suppliers.

The FBI has, as of February, received 17,642 victim reports since it began collecting data on the scam in October 2013. Total losses over the period have now reached $2.3bn.

These figures reveal a dramatic rise from a public service announcement by the FBI in August when it tallied 8,179 victims worldwide, mostly in the US, and losses of $1.2bn since October 2013.

The FBI noted at the time that the majority of victim transfers were to accounts at banks located in China and Hong Kong.

Microsoft recently added new security features in Office 365 specifically to address the attack because existing filters were poor at identifying spoofed corporate email domains.

The FBI's latest warning follows an Associated Press report detailing toy manufacturer Mattel's close shave with scammers who convinced a financial officer to wire $3m to an account in China by posing as the CEO in an email. Mattel was fortunate enough to have been able to halt the transfer.

The FBI said that if financial officers do receive an email-only wire transfer request to a known vendor, then they should call the partner first and importantly should not use any number in the email.

Since a crucial part of the attack is to spoof the domain of the target, it has previously advised businesses to register all similar looking domains that could be used against them. It also recommends implementing a second sign-off for transfers.

Editorial standards