How many emails do you get a day? Studies show the average American received nearly 100 emails each day and many would say that’s a slow morning at the office.

Add to that number each ding for texts, tweets and direct messages, and it’s easy to see why not every message gets your full attention.

And that is a vulnerability some hackers have identified and are looking to exploit. It’s something called business email compromise, email account compromise or CEO fraud. Essentially, it is a sophisticated scam that targets businesses working with foreign suppliers or businesses that regularly perform wire transfers.

“A lot of the transfers we see range from $30,000 to $100,000,” says Sgt. Plank, a member of the FBI’s Cyber Task Force who works as a officer on the Utah Dept. of Public Safety. “There are lots of businesses that rely on wire transfer services; it’s just something they do every day and they don’t think about it for a second.”

Sgt. Plank says these types of scams increased this year by 2,700 percent. And that was on the heels of a 1,300 percent increase the year before. Across the U.S., there were 22,292 victims who combined to lose $1.5 billion.

  • Congress considers authorizing cyber vigilantes

  • Cybercriminals disguised by email (6:33)

  • Ignoring red flags and clicking without suspicion (12:34)

  • Acting quickly increases chances of recovering stolen money (21:15)


Types of Scenarios
There are five basic scenarios where hackers use email to convince you they are someone in a position of authority.

  1. Business working with foreign suppliers.

  2. Business executive receiving or initiating a request for a wire transfer.

  3. Attorney Impersonation handling sensitive or secretive matters.

  4. Real estate purchase.

  5. W-2 request.

Once they have you fooled, they use that trust to have your employees send money.

What is a Spoofed Email?

So, how does one of your employees get fooled? Sometimes, scammers use spoof emails. These emails are sent from a domain that looks like your business domain, but may be off by one letter. The top level domain might be the only thing different (.com becomes .net or .co, for example). There are also websites that allow you to send an email which actually spoofs the header information so there might not be any typos at all.

IC3 Suggestions for Protection

  • Avoid using free web-based email for your business, like Yahoo, Gmail, etc. Instead, establish a company domain and use it for emails. Sgt. Plank also recommends you enable two-factor authorization, meaning a login requires a password and a code sent to the user’s cellphone. Of course, using complex  passwords that aren’t reused is always a good idea.

  • Be careful what you post to Social Media and company websites, especially job duties and responsibilities and out of office details.

  • Be suspicious of requests for secrecy or pressure to act immediately.

  • Consider other methods to confirm money transfers, like a phone call or in-person confirmation if possible.

  • When replying to emails...try forwarding instead of replying. This forces you to type in the email address or have the correct address auto-populate from your contacts.

  • Be wary of any sudden change in business practice or wire info.

  • Register similar domains or create detection rules for similar emails


You can hear more on the full CYBER24 podcast.