Businesses have lost billions of dollars to fast-growing scams where fraudsters impersonate company executives in emails that order staff to transfer to accounts controlled by criminals, according to the U.S. Federal Bureau of Investigation.
Losses from these scams, which are known as “business email compromise,” totaled more than $2.3 billion from October 2013 through February of this year, the FBI said in an alert issued this week, citing reports to law enforcement agencies around the globe.
The cases involved some 17,642 businesses of all sizes scattered across at least 79 countries, according to the FBI alert posted on the website of the agency’s Phoenix bureau.
Law enforcement and cyber security experts have been warning that business email compromise was on the rise, but the extent of losses has not previously been disclosed.
Cyber security experts say they expect losses to grow as the high profits will attract more criminals.
“It’s a low-risk, high-reward crime. It’s going to continue to get worse before it gets better,” said Tom Brown, a former federal prosecutor in Manhattan.
The FBI’s alert said that fraudsters go to great lengths to spoof company email accounts and use other methods to trick employees into believing that they are receiving money-transfer requests from CEOs, corporate attorneys or trusted vendors.
“They research employees who manage money and use language specific to the company they are targeting, then they request a wire fraud transfer using dollar amounts that lend legitimacy,” the alert said.
It said they often target businesses that work with foreign suppliers or regularly perform wire transfers.
The size of the losses vary widely from case to case.
Austrian aircraft parts FACC said in January that it lost about 50 million euros ($55 million) through such a scam. In Arizona, the average loss ranges from $25,000 to $75,000, according to the FBI.
The FBI said in its alert, which was dated Monday, that it has seen a 270 percent increase in identified victims and exposed loss since January 2015.
Brown, who now runs the cyber investigations unit with Berkeley Research Group, said that the potential consequences of the breach of an email account are sometimes not immediately apparent to victims.
“This shows that even the hack of an email account can cause significant financial loss,” Brown said.