Is that email really from your boss? FBI warns fake CEO scams now $3.1bn crime

The FBI says the number of victims and losses to CEO phishing fraud has exploded over the past few years.
Written by Liam Tung, Contributing Writer

The new FBI numbers suggest CEO fraud or "business email compromise" may be a vastly bigger problem for businesses than previously thought.

Image: Louis Lanzano/AP

The Federal Bureau of Investigation (FBI) reports that "exposed dollar losses" to CEO fraud emails total $3.1bn since October 2013.

The FBI revealed the figure in a new public-service announcement (PSA) on the Internet Crime Complaint Centre (IC3) to warn businesses about criminals who use bogus email accounts to pose as CEOs to trick financial controllers into wiring funds to the fraudsters' bank accounts.

The new numbers suggest CEO fraud or "business email compromise" may be a vastly bigger problem for businesses than previously thought.

In April the FBI reported victims worldwide had lost $2.3bn to the scam between October 2013 and February 2016.

IC3 explains that its new figures are based on data from international law enforcement and banks, as opposed to only complaints that IC3 has received. These additional sources of data suggest losses to CEO fraud have grown by 1,300 percent since January 2015, IC3 said.

Including the additional sources, 22,143 victims reported being targeted by the scam between October 2013 and May 2016.

IC3 also notes that the $3.1bn figure refers to "exposed dollar losses", which "includes actual and attempted loss in US dollars".

IC3 says it has received 15,688 reports from victims in the US and internationally, with losses totalling just over $1bn. US victims accounted for just over 14,000 of IC3 reports.

"The scam has been reported by victims in all 50 states and in 100 countries. Reports indicate that fraudulent transfers have been sent to 79 countries with the majority going to Asian banks located within China and Hong Kong," IC3 said.

The new PSA updates its warning over business email compromise issued in August 2015. Back then, it had received 7,000 reports from US victims and 1,113 reports from non-US victims between October 2013 and August 2015.

Exposed dollar losses in the US totalled $748m, while the future for non-US victims was $51.2m. Back then IC3 was only aware of the scam being reported in 79 countries, with funds being directed to 72 countries.

IC3's new PSA also expands its descriptions of different variants of business email compromise and suggests security steps to mitigate the risk of exposure.

It recommends adopting two-factor authentication, moving to a voice call to confirm large transactions, and instead of hitting Reply on email, using Forward to ensure the email is addressed to an account from the recipient's address book.

Read more about phishing scams

Editorial standards