NEW YORK — Hackers have funneled $1.2 billion out of companies’ accounts since October 2013, the FBI reported.
Using an increasingly common scam called “business email compromise,” hackers will pose as CEOs of companies and ask employees to hand over confidential financial information.
Typically, hackers will first send a phishing email to the CEO or a top-ranking executive to gain access to his or her account. Then, the hacker will send emails from the executive’s account.
Alternatively, hackers sometimes create a dummy email address to fool finance departments into thinking it’s coming from the CEO (email@example.com or firstname.lastname@example.org), for instance. After emailing employees, a person hitting “reply” quickly without paying attention could have responded to the hacker’s dummy email address.
Sometimes, hackers pose as company lawyers who tell employees they need certain financial information right away.
After securing the necessary information about the company’s accounts, the hackers will wire money out of the company into their own coffers.
The scam is extremely widespread. Though companies and their banks have gotten better at detecting business email compromise scams, the FBI said similar scams have been reported in all 50 states and in 79 countries.
In the first eight months of this year, there has been a 270% increase in identified victims and exposed losses due to business email compromise schemes.
Since October 2013, more than 7,000 U.S. companies have been identified as victims of the scam, according to this week’s FBI announcement, which was first reported by security blogger Brian Krebs. Hackers stole nearly $750 million from them. Including companies reporting to foreign law enforcement agencies, the losses have totaled $1.2 billion over the past two years.
The losses from these attacks can be devastating.
Earlier this month, networking firm Ubiquiti reported that an “outside entity” targeted its finance department by sending what appeared to be a company email.
A hacker posing as one of its employees online stole $46.7 million from the company’s accounts.
It was able to recover $8.1 million of the money that the hacker stole, and Ubiquiti believes it will be able to get back at least $6.8 million more. The company said it is working with U.S. and overseas law enforcement to retrieve the remaining $31.8 million.