Businesses Lose $3.1 Billion to Email Scams, FBI Warns

Business have lost over $3 billion because of compromised e-mail accounts, the FBI reports, citing "a sophisticated scam targeting businesses working with foreign suppliers and/or businesses that regularly perform wire transfer payments." 22,143 business have been affected -- 14,302 within the U.S. -- with a total dollar loss of $3,086,250,090, representing an increase of 1,300% since January of 2015.

Using social engineering or "computer intrusion techniques," the attackers target employees responsible for wire transfers (or issuing checks) using five scenarios, which include bogus invoices or executive requests for a wire transfer of funds, with some attackers even impersonating a corporate law firm. "Victims report that IP addresses frequently trace back to free domain registrars," warns the FBI's Internet Crime Complaint Center, which also urges businesses to avoid free web-based e-mail accounts.

Backdoors

If only the FBI had backdoors into all the email systems, surely they would have prevented these economic losses!

Businesses should avoid gmail??

[NotInHere]

Wtf, I think gmail is 10x more secure than running the webserver on the same server you run your wordpress based website on.

Its really hard to get your mail service as secure as gmail is.

Re: Businesses should avoid gmail??

If only the FBI were as smart as you.

Re:Businesses should avoid gmail??

[wbr1]

Far better to use Google apps or even o365. You have more granular control over users, true archiving, etc. But if you are super cheap Gmail is the best free option.

Re:Businesses should avoid gmail??

[fustakrakich]

Well, since gmail is a spy outfit, it's not a good idea for business to send confidential correspondence over their servers. It's probably better to set one up at home, something that can be quickly 'cleaned', if you get my drift.

Re:Businesses should avoid gmail??

[tlhIngan]

I've seen many companies use GMail, even rather big outfits.

They go and use something along the lines of "companyname-name@gmail.com" as their correspondence address. And yes, this would be emblazoned on their packaging.

We've got suppliers that work like that - but considering we remove the packaging (it's just inside a tacky plastic bag when we pack our goods, no one really notices.

Happens at my company all the time

[natetheokay]

The giveaway is that the executives ask way too nicely in the emails.

Underlying question : SHOULD businesses use email?

Why not have internal messaging systems and file-checkin systems that are independent of email, and only allow email to a few trained/locked-down terminals?

I know it's inconvenient and thus the antithesis of "modern web" startup culture, but one should ask the question with fresh eyes from a business logic perspective.

Would you allow people coming and going with boxes in your business without any sort of controls on that? Strangers? Unattended packages?

Wouldn't it be a higher hurdle for script kiddies to swipe your database and embarrass your entire company if you had a more guarded approach toward messaging?

Compromised e-mail accounts you say?

How many email accounts do the FBI compromise? All of them including Hillary's.

Never fucking trust a spy agency, not even if you pay them. If you pay them, especially don't.

More Information

[JustAnotherOldGuy]

For more information on email scams, please click the link below and when the dialog box appears, click "Run".

Re: More Information

When the old fart makes a post, click Fuck Off.

voluntary

[frovingslosh]

Sounds like it is just a voluntary tax on stupidity, perhaps coupled with a low cost course in computer security when that lesson is very needed. One has to wonder, since this kind of thing is usually covered up by the "victim", just how the FBI know how much of it is going on.

Re:voluntary

[Areyoukiddingme]

One has to wonder, since this kind of thing is usually covered up by the "victim", just how the FBI know how much of it is going on.

Easy. They don't. Given the specificity of that number, it's the sum of the reported cases. The actual number of cases is much much bigger, both in count and in losses. Many companies are successfully hiding it, from the FBI, from their insurance company, from their stockholders, and from the public.

When RFC 822 was written in 1982, it was competing against a bunch of different email formats already in use since the late '70s. RFC 733, written in 1977, was supposed to have unified many of those formats and features already. It didn't, quite, so another attempt was made. To make a long story short, Internet email as we know it was in an uphill battle against entrenched formats, so to get it to fly, it had to be extraordinarily permissive. Minor things like authenticity of identity weren't even a consideration.

Those days are over. Email has been adopted. There isn't even a dash in the name anymore. Authenticity of identity is now exceedingly important. $3 billion ($6 billion? $9 billion?) important. Perhaps it's time for companies to get a grip on their inter-business relationships, so they can be confident that an invoice is legitimate. Outlook has signature features[1]. Nobody uses them. Maybe it's time.

---

[1] Let's not pretend the vast majority of businesses are using anything other than Outlook.

Re:voluntary

[packrat0x]

Which employees need email with the general public: Sales? Public Relations? Recruitment?
Which employees need email to specific outside people: accounts receivable, accounts payable, payroll, management, etc.
How about two email systems? A restricted one for employees who work with money or budgets and an external one for everyone else.

Are there any specific businesses

[Hognoxious]

Are there any specific businesses, or types of businesses (say by size, sector or whatever) that are more susceptible to this kind of fraud?

Just curious.

Re:Are there any specific businesses

Yes, these are "stupid" businesses that need to fail.

And yet no one is suggesting the obvious solution

[superwiz]

PGP in Gmail for business