Email Scam Costs Three Washington Companies $1.65M, FBI Says

http://www.bizjournals.com
Ana Sofia Knauf
Puget Sound Business Journal
December 3, 2013

Three Washington state businesses were victims of an e-mail fraud scheme this year that cost them a collective $1.65 million, according to a recent FBI report.

The three companies in Bellevue, Seattle and Tukwila and the businesses' Chinese suppliers were the victims of a "man-in-the-middle" email scam. The FBI would not disclose the names or industries of the affected companies for security purposes.
The FBI reports that the scam began when fraudsters intercepted legitimate emails between the purchasing and supply companies and then impersonated each company to the other in subsequent emails.

Changes to the emails were subtle, like making fake email accounts that spoofed companies' e-mail addresses, said FBI public affairs specialist Ayn S. Dietrich. From there, fraudsters could forge emails by copying the original wording to contact the partner.
The FBI says the companies were led to believe they were sending money to an established supply partner in China. However, their money was instead routed into the fraudsters' bank accounts. Thus, suppliers might have shipped out legitimate products and never received payment, or the purchasing company was scammed into paying a bank account controlled by the scammers.

The bureau believes the perpetrators' emails originated in Nigeria or South Africa and has put out an alert through InfraGard, a partnership service between private corporations and the FBI to discuss cyber-security.

So how can smart business owners avoid being scammed by email fraud? The FBI has some suggestions:

  • Establish non-email communication channels, such as a phone call, early in the business partnership to verify significant transactions.
  • Create company email accounts through a company website domain. Avoid using free, web-based email services.
  • Be aware of changes in business practices. For example, if suddenly asked to contact a representative at his personal email address when all previous official correspondence has been on company email, businesses should verify via other channels that they are still communicating with their legitimate business partner.
  • Do not hit the "Reply" button. Instead, click "Forward" and either type in the correct email address or choose it from the email address book to ensure the intended recipient is selected.

This is the most recent of several incidents of email scams in the United States in 2013.

If business owners suspect their company has been targeted by this "man-in-the-middle" e-mail scam, Dietrich said they should file a report with the Internet Crime Complaint Center (IC3). The center reviews these complaints, which can help zero in on major sources of criminal activity.