At the end of July we warned you that, according to the FBI's Internet Crime Complaint Center, or IC3, a type of fraud called the “Business Email Compromise” had been growing evermore frequent and intense over the past year and change. And this week, the wireless-networking firm Ubiquiti Networks publicly disclosed that it had fallen for such a scam in early June — and lost $46.7 million as a result.
The business email compromise is essentially an updated version of the old “invoice scam,” only reliant on computers rather than old-fashioned paper payment systems. The invoice scam is simplicity itself: mail fake invoices to various businesses in the hope that they'll be mistaken for real ones, and paid accordingly. In January the U.S. Postal Service estimated that American businesses lose millions if not billions of dollars to such scams every year – though the exact amount is impossible to determine, because the nature of this scam is such that many of its victims have no idea they're being victimized.
Business invoice scam
The business email compromise is essentially an invoice scam conducted over the Internet. Here's how it works: suppose you own, or work for the financial department of, a candy-making company. Of course the company buys lots of ingredients – sugar, corn syrup, chocolate liquor and more – to make its various products, which is why it sends regular payments to various suppliers.
If I'm an invoice scammer out to defraud your candy company, chances are I needn't even take on the minor cost of printing and mailing a fake invoice. All I have to do is send an official-looking email to your @candymaker.com business address, ostensibly from one of your suppliers: “This is SugarCo writing to remind you that we've recently switched banks. Please update our information in your payment database: instead of sending SugarCo payments to account Y at bank Z, send future payments to account A at bank B.” Then I relax, have a drink, and watch the money roll in – at least until the real SugarCo contacts your Accounts Payable department to ask why they haven't been paid yet.
And if my scamming self has actual hacking skills, rather than the mere ability to write a convincing-looking fake email, then so much the better: instead of waiting for one of your employees to bite on my scambait and divert payments to me, I can simply hack into the right account and divert the payments myself.
Ubiquiti Networks scammed
Something very similar happened at Ubiquiti Networks earlier this year, according to the quarterly financial report the company filed with the Securities and Exchange Commission last week:
On June 5, 2015, the Company determined that it had been the victim of a criminal fraud. The incident involved employee impersonation and fraudulent requests from an outside entity targeting the Company’s finance department. This fraud resulted in transfers of funds aggregating $46.7 million held by a Company subsidiary incorporated in Hong Kong to other overseas accounts held by third parties. As soon as the Company became aware of this fraudulent activity it initiated contact with its Hong Kong subsidiary’s bank and promptly initiated legal proceedings in various foreign jurisdictions....
Ubiquiti was, at least, able to recover $8.1 million of the lost funds, with another $6.8 million “currently subject to legal injunction and reasonably expected to be recovered by the Company in due course.”
But it's highly unlikely the company will manage to get all of its lost money refunded, and also unlikely that the company will “be successful in obtaining any insurance coverage for this loss,” as it admits in the SEC filing.
Ubiquiti didn't disclose exactly how the fraudsters managed to pull off this scam (it's possible Ubiquiti doesn't exactly know), though the investigation did determine that no employee was criminally responsible. Given that the SEC filing did say “The investigation uncovered no evidence that our systems were penetrated or that any corporate information, including our financial and account information, was accessed,” chances are high that the fraudsters got in by emailing fake bank notices or similar things to Ubiquiti executives, and one of them fell for the bait.
When security expert Brian Krebs analyzed the Ubiquiti heist, he noted that “Unlike traditional phishing scams, spoofed emails used in CEO fraud schemes are unlikely to set off spam traps, because these are targeted phishing scams that are not mass e-mailed.”
That's why even a presumably tech-savvy employee of a tech networking firm might fall for such phishing bait: because it doesn't set off traditional phishing-scam alarms. Consider: last December, at the start of the 2014 holiday shopping season, unknown hackers were using fake mail-order “confirmation emails” to trick people into downloading dangerous malware onto their computers. By ordinary phishing standards, those emails were relatively high-quality fakes, in that the fake notices looked almost identical to real notices sent by the likes of Amazon or Walmart.com, without the glaring spelling errors or outdated logos usually found in phishing emails.
However (as we advised you last December), to detect one of those fake shipping orders all you needed to do was notice that the emails, though professional-looking, were also addressed generically rather than specifically. Real Amazon shipping notices never say “Your order has shipped”; they say “Wile E. Coyote, your order of ACME Rocket-Powered Roller Skates has shipped.”
But that rule doesn't work with the business email compromise, because the fraudsters learn enough information to customize their emails with authentic personal and business names.
Remember the hypothetical candy-company invoice scam we mentioned earlier? When a candymaker gets an email saying “Instead of sending SugarCo payments to account Y at bank Z, send future payments to account A at bank B,” that sounds legitimate when the candymaker genuinely does do business with SugarCo, and actually has been sending payments to account Y at bank Z.
Don't call me; I'll call you
That's why you must be extra-vigilant about applying another anti-phishing rule: “Don't call me; I'll call you.”
In other words, be suspicious of any unsolicited email (or text message, phone call or snail-mail letter) you get reporting problems or changes with your accounts – even if that message does seem to be from a legitimate company or institution.
If you're a business owner or someone working in Accounts Payable, it's fine for you to contact your suppliers about issues regarding payment arrangements – but if someone claiming to represent your supplier contacts you to request a change, you must verify this on your own rather than take that unsolicited message at face value. After all: you didn't call them. They called you, and in today's world that's a warning sign of a scam.