According to the FBI’s Internet Complaint Center, or IC3, global losses due to business email compromise have exceeded $12.5 billion.
The scam, also known as the CEO scam, targets both businesses and individuals performing wire transfer payments. The scam usually begins when fraudsters phish an executive of a company and gain access to that person’s inbox. Some will also email an employee from a domain that is similar to the company’s true domain name. For example, if the target company’s domain was “example.com” the thieves might register “examp1e.com” in order to trick the employee.
The scammer may not only request money, but also personal information like an employee’s W-2 forms.
From 2015 to 2017, IC3 received an 1,100% increase in fraud reports from victims who had been hit with a CEO scam that involved a real estate angle.
The FBI says one of the biggest sectors being targeted by the CEO scam is real estate. This includes title companies, law firms, real estate agents, buyers and sellers. Victims most often report a spoofed e-mail being sent or received on behalf of one of these real estate transaction participants with instructions directing the recipient to change the payment type and/or payment location to a fraudulent account.
The funds are usually directed to a fraudulent domestic account which quickly disperse through cash or check withdrawals. The funds may also be transferred to a secondary fraudulent domestic or international account. Funds sent to domestic accounts are often depleted rapidly making recovery difficult.
Although the popularity of the scam has risen, there are ways to protect yourself. Here are some tips to keep in mind:
- Minimize the number of people authorized to process and approve company wire transfers and check payments.
- Make a list available to employees with the names of those authorized to approve and process all company payments.
- Verify (with at least two people) requests for new or different payment processes or requests for secure information.
- Adopt a comprehensive anti-phishing program that empowers all your employees to act as the first line of defense against BEC scams.