The FBI posted an alert this week warning about phishing attacks that skillfully mimic an email from an employee’s manager or executive requesting a funds transfer or similar activity.
The alert said the FBI has seen a 270% increase in so-called CEO scams since January 2015.
The FBI estimates these crimes have cost organizations more than $2.3 billion in losses over the past three years.
The FBI estimates the average organization loses an average of between $25,000 and $75,000 in a CEO scam.
According to KrebsOnSecurity, the fraud typically begins with hackers either phishing an executive and gaining access to that individual’s inbox, or emailing employees from a domain name very similar to the target company’s real domain.
Because they look like real emails and are sent only to specific individuals, CEO scams usually don’t set off company spam traps. And, the hackers involved often study a company carefully to understand its business and activities so that funds request looks very legitimate.
Several high-profile companies have been hit with CEO scams in the last several months. Toymaker Mattel was the victim of a phishing scam last year that almost cost the company $3 million, according to the Associated Press. A financial executive accepted a request to wire $3 million to a bank in China for a new vendor payment. Later, realizing the request was a scam, the company jumped to stop the request, but the money already was in China. Luckily, the day after the attacks was a banking holiday in China and Mattel was able to recover the funds.
On March 1, Seagate Technology gave up the 2015 W-2 forms of all its current and former U.S.-based employees in a phishing scam. The week before, Snapchat revealed it was also the victim of a phishing scam when an employee released company payroll information to an attacker pretending to be CEO Evan Spiegel.
While security companies continue to build products that can prevent these types of attacks in the workplace, education around email security must be a cornerstone for all enterprises because hackers have become increasingly shrewd. Human error – paired with corporate cultures that sometimes fail to prioritize cybersecurity education – are often the culprits when businesses fall victim to phishing attacks.