This Is How Hackers Stole Millions From Your Company
Imagine a corporate bookkeeper gets an email from his CEO that says, “Hey, I need the W-2s for everybody in the company.” The diligent bookkeeper gathers the requested tax documents and sends them off to the executive. But the initial email wasn’t really penned by the CEO—it was written by a crook who broke into the executive’s email account. The goal: to carry out a new type of cybercrime called “business email compromise” or BEC, which hackers have used to try to steal billions of dollars in recent years.
“Our adversaries are opportunists,” says FBI agent Mitchell Thompson, speaking to reporters on Tuesday in New York City in Lower Manhattan at a roundtable to discuss growing online threats. “They look for vulnerabilities to exploit.”
There are several different kinds of BEC crimes, including the executive impersonation described above, which first appeared just before the 2016 tax season. Once hackers steals your information, they can sell it to other criminals or use it for lucrative credit card and tax refund scams.
Another type of BEC occurs when criminals hack or impersonate an executive and send an email to the company’s financial department asking for an immediate wire transfer, usually to banks in China and Hong Kong. “I’ve had $90 million go out the door in New York,” says Thompson. “Sometimes, it’s gone, sometimes it comes back,” he adds, depending on how quickly the victimized company discovers the crime.
Hackers have used BEC methods to steal or try to steal more than $3 billion worldwide between late 2013 and May 2016, with U.S. and foreign victims reporting more than 22,000 cases. Criminals have attempted the scam in all 50 states and in 100 countries, and there’s been a 1,300 percent increase in attempted and successful BEC thefts since January 2015, according to the bureau.
FBI officials also described other cybercrimes on Tuesday. Among them: ransomware, a type of malware—short for malicious software—that hackers use to encrypt the files on a computer, making them inaccessible so they can charge the computer’s owner a ransom to remove the infected software. “Criminals will target anyone with ransomware if they think they’ll pay up,” says FBI agent Richard Jacobs. The victims, he adds, usually pay anywhere from $200 to $10,000, often in bitcoin.
Because cybercriminals research the companies they target, the FBI advises companies to keep job descriptions and organizational charts off social media and company websites. Victims of internet crimes should also report what happened to the FBI at the bureau’s complaint center. “A lot of it boils down to good computer hygiene,” says agent Aristedes Mahairas, head of the FBI’s cyber division in New York. “If you don’t recognize an email, let’s move that over to the junk folder.”
Source | NewsWeek
