The spoofing of business executive email accounts is a lucrative business for hackers and an increasingly common practice, reports Brian Krebs. He tells the story of “Judy” who came dangerously close to losing her company $315,000 in cash after receiving an email from her boss asking her to wire the money to a Chinese supplier.
A common request from her boss, Judy didn’t give it much thought until she reread the tone of the email, which was far more formal-sounding than normal. She managed to halt the transfer before it was too late.
In January this year, the FBI reported that cyber thieves using increasingly complex scams such as this managed to steal as much as $215 million in the 14 months previous. And in one case, The Scoular Co., a well-established company in Omaha, Nebraska, lost $17.2 million over the course of last summer to thieves using this method.
Upon digging deeper, investigators in Judy’s case determined that the cyber thieves had registered a phony domain and email account with Vistaprint. The domain name was one lookalike letter different from Judy’s company’s.
Judy’s employer has now set up a procedure for wire transfers. They can no longer be initiated by following instructions in an email. Instead, they must speak in person, whether face-to-face or over the phone. The FBI’s advice on this is similar. Where possible, businesses should adopt a two-step authentication for significant transactions.