Red flag in email scams: 'Have you already been contacted by (insert lawyer name)?'
Image from Shutterstock.
Scammers are stealing billions from corporations by impersonating their CEOs and their lawyers, the Financial Times (sub. req.) reports.
Hacking skills, of course, are helpful to cybercriminals, who may gain access to a company officer’s real email account. However, a spoofed account that doesn’t actually belong to the corporate chief but lists an email address for the sender that appears almost identical may also be used.
Simply sending an email to a company or checking a Facebook page can reveal that a CEO is out of the office on a faraway vacation or business trip and likely not in close touch with company employees during the time it takes to reach the destination. That sets the stage for a scam in which a high-level employee gets emails seemingly sent by the CEO and a lawyer working for the company, the article explains.
The emails instruct the employee to wire millions to a specified international account so a hush-hush corporate deal can be completed—and a number of employees who get such emails do what they are told. One stock sentence in such emails recently: “Have you already by contacted by (insert lawyer name)?” By the time the fraud is discovered, the money is usually gone.
That’s what happened to Scoular, a U.S. grain company, according to an FBI affidavit filed in a Nebraska court case. Then-controller Keith McMurtry was told in a series of 2014 emails seeming from its CEO to wire $17.2 million to an offshore account as part of a top-secret deal to acquire a Chinese company. McMurtry was also asked if he had already been contacted by a real KPMG lawyer about the deal, but given a fake email address and phone number at which to contact the accounting firm lawyer.
As McMurtry knew, his company had been mulling a China expansion and was working with KPMG on an audit, so he was not suspicious. However, the actual KPMG global leader whose name was used in the scam had never heard of Scoular, the Financial Times reports. The company and McMurtry declined to comment.
Over 12,000 businesses, large and small, in more than 100 countries have lost some $2 billion in email schemes since October 2013, and such cybercrimes are increasingly common, the Financial Times reports, relying on information from the FBI’s Internet Crime Complaint Center.
The largest loss to an individual business was $90 million and the average loss was $120,000.
Picking up the phone and verifying email instructions with a known individual, or requiring two people to confirm transactions, can do a lot to help companies avoid schemes based on spoofed email addresses, according to experts. However, some cybercrooks have found a way around a dual-verification roadblock by deceiving multiple employees at the same company.
At Medidata Solutions, an employee who got a fake email purporting to be from the company CEO in September 2014 said he needed two others to verify instructions he was getting from a lawyer he was told to deal with. But then two people with authority to give the OK also got phony CEO emails, and $4.7 million was sent to China, according to an insurance coverage lawsuit filed in federal court in New York.
The company escaped another $4.8 million loss, though, when one of the verifiers grew suspicious over a second round of emails and called the CEO directly.
Once a corporate email fraud is completed and the money is sent to an international account by a company employee with authority to transfer funds, the company may have little or no recourse. Banks likely have no liability for the loss, and cyberinsurance may not cover it either if the company was not actually hacked. But some insurers are starting to offer policies that include social engineering frauds and cover impersonations, the Financial Times says.
Hat tip: Wall Street Journal Risk & Compliance Journal (sub. req.)
ABAJournal.com: “Hackers are stealing closing funds by intercepting lawyer-client email, experts say”
ABAJournal.com: “Lawyers and clients beware: Spoof phone calls may direct funds to scammers”
ABAJournal.com: “Law Firms Still Victimized in Fake-Check Web Scams; Trial Looms for Nigerian Accused in $32M Swindle”
ABAJournal.com: “Man accused of scamming attorneys out of $70M gets over eight years in prison”