nav search
Data Center Software Security Transformation DevOps Business Personal Tech Science Emergent Tech Bootnotes BOFH

Fake invoice scammers slurp $5bn+ from corp beancounters – FBI

Gawd, and we thought El Reg hacks' martini expense claims were bad

By Iain Thomson, 5 May 2017

The FBI reckons scammers netted more than $5bn in four years by emailing fake invoices and similar bogus claims to beancounters, tricking them into handing over company cash.

This so-called business email compromise crime (aka BEC, or sometimes "whaling") involves thieves sending convincing-looking invoices to staff while posing as contractors or business partners. Some crooks break into company email accounts to send the messages, ramping up the authenticity of the claims.

If the faked invoices are paid, the funds go to bank accounts controlled by the crooks, and the money is quickly laundered and vanished from sight.

Between 2013 and December 2016 – since the FBI has been collecting data on BEC – the agency reports that the crooks have made off with $5,302,890,448 from 40,203 cases with US and international businesses. To make matters worse, BEC reports have grown at an astonishing 2,370 per cent over the past year.

The FBI set up a reporting site for this kind of fraud and found that between June and December of last year, US businesses reported losses of $346,160,957 in 3,044 attacks. Just last month, the Feds cuffed a Lithuanian man accused of defrauding Facebook and Google out of $100m, although the vast majority of the money was recovered.

Over the same six-month period, non-US businesses got hit to the tune of $448,464,415, but the number of attacks was much lower: 774. So while the US is still losing more money, the rest of the world is catching up.

The FBI said that the bulk of the funds are being diverted to banks in Hong Kong and China, from which they are usually transferred on to a series of other financial institutions – or in some cases, casinos. But the agency also said the use of British banks is on the rise.

The Feds have also noticed some variations on the original BEC scam. A lot of the more recent attacks were preceded by a malware infestation – typically ransomware – suggesting that malicious actors are using code to perform a survey of a firm and its ability to pay.

Real estate scams are also on the up, rising 480 per cent last year. Here the scammer poses as the seller of a property, gets the funds and then absconds.

It's clear that companies need to get a lot better at securing their payment processes. The FBI recommends introducing two-factor authentication on everything, checking the bona fides of anyone requesting large amounts of funds – and being very suspicious if a partner decides to change their payment method or location. ®

The Register - Independent news and views for the tech community. Part of Situation Publishing