Businesses Lose $3.1 Billion to Email Scams, FBI Warns (networkworld.com) 18
Business have lost over $3 billion because of compromised e-mail accounts, the FBI reports, citing "a sophisticated scam targeting businesses working with foreign suppliers and/or businesses that regularly perform wire transfer payments." 22,143 business have been affected -- 14,302 within the U.S. -- with a total dollar loss of $3,086,250,090, representing an increase of 1,300% since January of 2015.
Using social engineering or "computer intrusion techniques," the attackers target employees responsible for wire transfers (or issuing checks) using five scenarios, which include bogus invoices or executive requests for a wire transfer of funds, with some attackers even impersonating a corporate law firm. "Victims report that IP addresses frequently trace back to free domain registrars," warns the FBI's Internet Crime Complaint Center, which also urges businesses to avoid free web-based e-mail accounts.
Using social engineering or "computer intrusion techniques," the attackers target employees responsible for wire transfers (or issuing checks) using five scenarios, which include bogus invoices or executive requests for a wire transfer of funds, with some attackers even impersonating a corporate law firm. "Victims report that IP addresses frequently trace back to free domain registrars," warns the FBI's Internet Crime Complaint Center, which also urges businesses to avoid free web-based e-mail accounts.
Businesses should avoid gmail?? (Score:5, Interesting)
Wtf, I think gmail is 10x more secure than running the webserver on the same server you run your wordpress based website on.
Its really hard to get your mail service as secure as gmail is.
Re: (Score:2)
Re: (Score:2)
I've seen many companies use GMail, even rather big outfits.
They go and use something along the lines of "companyname-name@gmail.com" as their correspondence address. And yes, this would be emblazoned on their packaging.
We've got suppliers that work like that - but considering we remove the packaging (it's just inside a tacky plastic bag when we pack our goods, no one really notices.
Re: (Score:1)
Well, since gmail is a spy outfit, it's not a good idea for business to send confidential correspondence over their servers. It's probably better to set one up at home, something that can be quickly 'cleaned', if you get my drift.
Happens at my company all the time (Score:1)
Underlying question : SHOULD businesses use email? (Score:1)
Why not have internal messaging systems and file-checkin systems that are independent of email, and only allow email to a few trained/locked-down terminals?
I know it's inconvenient and thus the antithesis of "modern web" startup culture, but one should ask the question with fresh eyes from a business logic perspective.
Would you allow people coming and going with boxes in your business without any sort of controls on that? Strangers? Unattended packages?
Wouldn't it be a higher hurdle for script kiddies to
More Information (Score:3)
For more information on email scams, please click the link below and when the dialog box appears, click "Run".
voluntary (Score:3)
Re:voluntary (Score:4, Interesting)
One has to wonder, since this kind of thing is usually covered up by the "victim", just how the FBI know how much of it is going on.
Easy. They don't. Given the specificity of that number, it's the sum of the reported cases. The actual number of cases is much much bigger, both in count and in losses. Many companies are successfully hiding it, from the FBI, from their insurance company, from their stockholders, and from the public.
When RFC 822 was written in 1982, it was competing against a bunch of different email formats already in use since the late '70s. RFC 733, written in 1977, was supposed to have unified many of those formats and features already. It didn't, quite, so another attempt was made. To make a long story short, Internet email as we know it was in an uphill battle against entrenched formats, so to get it to fly, it had to be extraordinarily permissive. Minor things like authenticity of identity weren't even a consideration.
Those days are over. Email has been adopted. There isn't even a dash in the name anymore. Authenticity of identity is now exceedingly important. $3 billion ($6 billion? $9 billion?) important. Perhaps it's time for companies to get a grip on their inter-business relationships, so they can be confident that an invoice is legitimate. Outlook has signature features[1]. Nobody uses them. Maybe it's time.
---
[1] Let's not pretend the vast majority of businesses are using anything other than Outlook.
Re: (Score:2)
Which employees need email with the general public: Sales? Public Relations? Recruitment?
Which employees need email to specific outside people: accounts receivable, accounts payable, payroll, management, etc.
How about two email systems? A restricted one for employees who work with money or budgets and an external one for everyone else.
Are there any specific businesses (Score:2)
Are there any specific businesses, or types of businesses (say by size, sector or whatever) that are more susceptible to this kind of fraud?
Just curious.
And yet no one is suggesting the obvious solution (Score:2)