Hackers have stolen billions of dollars from American companies by impersonating CEOs in an email scam — and the loot gets wired to banks in China and Hong Kong 83% of the time.
James C. Trainor Jr., assistant director of the FBI’s cyber division, highlighted the reach of the email scam during a speech at the International Conference on Cyber Security on Tuesday in New York City.
He was referring to an increasingly common scam called “business email compromise.” Hackers manage to grab a chief executive officer’s email account, then trick the company’s finance department to send money to an outside bank account.
For example, a company’s chief financial officer will get an email that says: “We need to pay this vendor right now. Wire $1 million to this account.” The money often gets sent because the order came straight from the CEO — or so they thought.
It’s how the networking company Ubiquiti lost $46.7 million last year.
Between October 2013 and February 2016, the FBI got reports from 17,642 companies that lost $2.3 billion this way.
Trainor told CNNMoney he suspects the true number of victims — and the cost — are much higher, because companies don’t always report crimes to the FBI.
“I get about two or three business email compromises reported to me every day, seven days a week, for the last year and a half,” he said.
During his speech, Trainor noted that the vast majority of these fraudulent wire transfers are made to banks in mainland China and Hong Kong.
Trainor stressed that victims should contact the FBI immediately to take advantage of a little-known policy: Some companies can actually get the money back.
There’s a 72-hour window during which the FBI can trace the money, and officially request that the Chinese bank return the funds. Most of the time, if the cash hasn’t yet been withdrawn, Chinese banks happily assist American law enforcement.
“Speed really, really matters,” Trainor said.
It’s unclear why so much of this stolen money immediately heads to China. Some suspect it’s because China doesn’t have an extradition policy with the United States, so it won’t send its citizens across the Pacific Ocean to get prosecuted in American courts.
But the hackers could be from anywhere — not just China.
Marcus Carey, a former U.S. intelligence officer who founded the cybersecurity firm vThreat, thinks hackers might just be taking advantage of Hong Kong’s massive presence in the business world.
“Hong Kong has traditionally been a gateway for foreign companies to perform transactions with Chinese business interests. So it wouldn’t be unreasonable for CFO’s to do transactions with Hong Kong based banks,” he said.
This scam is so elusive, it almost happened to a well-respected cybersecurity company, Malwarebytes. Last year, the company’s CFO got multiple emails that appeared to come from the company’s CEO, Marcin Kleczynski, asking him to pay a vendor bill of $52,140.60.
The email came from marcin@malwerabytes.com.
Did you catch that? It’s an email address at malwerabytes.com — just one letter off from the actual malwarebytes.com. Luckily, Malwarebytes CEO and CFO had previously agreed to double check all transactions, so they caught it.
“Maintaining that process and communicating is what kept the money safe,” Kleczynski wrote afterward.
Jérôme Segura, lead malware intelligence analyst at Malwarebytes, said hackers try to pass off as legitimate as possible to not get caught.
“There is a lot of trade business going on between China and North America, so this may explain why such transfers of money might not raise an alert,” he said.