Pop quiz: If you get an email from your company's chief executive asking for funds to be transferred to an account, should you hop to it?
Answer: Nope. Better to cool your heels and pick up the phone to verify that the email was actually sent by the CEO, the FBI is advising, pointing to a "dramatic rise" in what it calls "the business e-mail compromise scam, or B.E.C." More than $2.3 billion has been lost to this kind of fraud, with the number of cases more than tripling in the last year, the agency warned this week.
The scam involves fraudsters creating spoofs of company emails or using social engineering to convince victims to let down their guard, often pretending to be either an employee's CEO, a company attorney or a vendor that they've done business with in the past. Pretending to be an executive or partner with authority, the fraudster then requests the target to use a wire transfer "using dollar amounts that lend legitimacy," the FBI said.
Since October 2013, law enforcement has received reports from more than 17,600 victims, with the FBI's Phoenix branch saying that the average loss per scam ranges from $25,000 to as much as $75,000.
The FBI has some advice for businesses and their employees. First, your hackles should be raised anytime you receive an email requesting an urgent wire transfer. Second, pick up the phone to call the person who supposedly sent the email to verify whether it's legitimate. The FBI says that companies should also carefully look at emails to see if they are authentic, and use multi-level authentication.
The scam is similar to a tax fraud that's also on the rise. Fraudsters are increasingly pretending to be a company's CEO in order to ask for personal employee data, such as Social Security numbers. If the criminals are successful, they can gather enough data to file fake tax returns and claim the filers' refunds. The scammers are often targeting workers in accounting or human resources, who have access to W2 forms and employee data.
One company that fell victim to the scam was Snapchat, with the photo-sharing company saying last month that it had been the victim of the CEO phishing scam when a scammer impersonated its chief executive and asked for payroll information.
In another case, Mattel was swindled by a fraudster who targeted one of the toy company's finance executives. That employee, believing the email came from the CEO, wired more than $3 million to a bank in China, according to The Associated Press. Unfortunately, it was a scam and the company took a hit.
While there's not much that rank-and-file employees can do to protect themselves if an HR worker exposes their payroll information to a scammer, it's important for people to remain vigilant about their data and to scrutinize all emails carefully for signs of phishing. That means checking email addresses carefully and to check in with the person or institution who supposedly sent the email.
The National Cyber Security Alliance notes that in additional to emails, scammers rely on social media, fake websites and texts to try to get consumers to part with their personal information. If something "looks weird," it warns, it's best to delete it or ignore it.