The Federal Bureau of Investigation has released an alert warning of increased email scams causing fraudulent wire transfers and loss of confidential information. Businesses which perform wire transfer payments or which work with foreign suppliers have been especially targeted with sophisticated methods by individuals who have learned the business’ processes and activities. Between Jan. 2015 and Dec. 2016, actual or attempted losses from business email compromise increased by 2,370%, and were reported in all 50 states as well as 131 countries.
What to watch for
These scams often begin when a business’ employee clicks on a link in a “phishing” email from a seemingly legitimate source, which downloads malicious software (malware). This malware may provide access to the employee’s data, including passwords and personal information, or may be combined with social engineering to probe deeper in the organization for access. Social engineering occurs when a scammer manipulates employees by deception to get confidential information or system access – for example, pretending to be a repair person who needs a password to access the computer network.
The Internet Crime Complaint Center (IC3) outlines the five most frequent scenarios to watch out for:
- Business working with a long-term foreign supplier is asked to wire funds to pay an invoice to a different (fraudulent) account
- Business executive’s email account is compromised and used to request a wire transfer either from the company or even the company’s bank
- Employee’s personal email is compromised, then used to request payments from the business’ vendors to fraudulent bank accounts
- Scammers claim to be attorneys handling confidential or time-sensitive information, needing quick and secretive transfer of funds
- Business executive’s compromised email account is used to request confidential personally identifiable information (PII), often targeting human resource professionals; this scam may be followed by wire-transfer requests
Protecting yourself and what to do if you’re scammed
The FBI’s alert includes a list of practices to help businesses protect themselves. More information including what action you should take if you’re scammed is available from the US Department of Justice in the publication Best Practices for Victim Response.
Need more information?
To learn more about how to protect your business and yourself with IT risk management, contact Brian Johnson, senior vice president of technology services, using the information below.
Senior Vice President
Technology Services
Brian joined AGH in 1992. He leads the firm’s technology services practice where he helps clients achieve measurable performance improvements through the delivery of specialized, competency-based information systems management, assurance, and advisory services. He has extensive experience in information security, network engineering, and solution development, with recognized specializations in governance, risk, control, and related consulting services.
Brian is a member of ISACA (previously known as the Information Systems Audit and Control Association), the Kansas Society of Certified Public Accountants (KSCPA), the American Institute of Certified Public Accountants (AICPA), the AICPA’s Information Management and Technology Assurance (IMTA) Section, and the Association for Supply Chain Management (ASCM). He is a Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM), Certified in the Governance of Enterprise IT (CGEIT), Certified in Risk and Information Systems Control (CRISC), Certified Data Privacy Solutions Engineer (CDPSE), and Certified in Production and Inventory Management (CPIM).
Brian is also a Certified Public Accountant (CPA) and a graduate of Wichita State University, where he earned Master of Accountancy and Bachelor of Business Administration degrees.
Information in this document has been obtained by Allen, Gibbs & Houlik, L.C. from sources believed to be reliable. However, AGH does not guarantee the accuracy nor completeness of any information. This communication does not and is not intended to provide legal, accounting or other professional advice or opinions on specific facts or matters, and accordingly, AGH assumes no liability whatsoever in connection with its use. Nothing in this communication can be used to avoid penalties that may be imposed by a governmental taxing authority or agency.