Hackers stole more than $1 billion from small- to mid-sized businesses through email schemes and corporate account takeover ploys between October 2013 and June of this year, The Wall Street Journal reports.
According to the FBI, organized hacking syndicates are duping businesses, which think they're paying vendors, into transferring money to fraudulent accounts. Small businesses in the U.S. are usually the targets, but the FBI has received complaints about email fraud schemes from companies in 64 different countries.
In one incident in April, Phoenix-based Mega Metals wired $100,000 to a German vendor for a 40,000-pound container of titanium shavings. The company completes transactions like this regularly, except this time the vendor never received payment.
"We got tricked," David Megdal, vice president of Mega Metals, tells WSJ. "We, in fact, had sent a wire to who knows where."
When cybersecurity firm Crowdstrike took a closer look, it found that a hacker was able to breach a computer belonging to a broker for Mega Metals, infect it with malware to steal passwords, and gain access to the broker's email account. Next the cybercriminals changed the wire-transfer instructions to steer the cash into their own account. They then shuffled it through a few different bank accounts, and now it's gone.
Mega Metals's story isn't unique, so within the last year, insurance companies have started to offer "social engineering fraud" riders on their policies. These can help reimburse a company if "employees are intentionally misled into sending money or diverting a payment based on fraudulent information provided via email, fax, phone call or other means," WSJ writes.
Since being swindled out of $100,000, Mega Metals has begun verifying email-based wire transfers with a phone call to the vendor that is supposed to receive the payment. That's a smart move, because when you get targeted, the clock starts ticking fast. "Once you reach beyond the 72-hour mark, it's extremely difficult,"Patrick Fallon, a chief in the FBI's criminal investigative division, tells WSJ.