Cyber-thieves are stealing millions of pounds, with a scam based around faking email messages from company bosses.
The spoofed messages ask finance staff to rush through a payment to a supplier that the chief executive cannot handle because they are out of the office.
Experts have dubbed this “whaling” fraud because it targets “one big fish” as opposed to phishing, which tends to be aimed at lots of smaller fry.
US tech company Ubiquiti Networks said it had lost $47m (£30m) to this scam.
“The focused attacks by criminals are increasing because they have realised they can make a bigger pay-off than they can from many thousands of smaller attacks,” BAE head of threat intelligence Adrian Nish said.
He said the emails came from web addresses almost identical to that of the target company, often when senior executives were known to be away from the office.
Bad guys
One security company, Centrify, only avoided falling victim to the scam when one of the finance staff happened to bump into a senior manager named in the fake email and mentioned to them that a wire transfer was being prepared.
The scammers had continued to badger the finance department to transfer the money even as the attempted fraud was being reported to the FBI, head of security Tom Kemp said.
“We were getting regularly getting targeted by these kinds of attacks,” he added.
This week, the UK’s NCC Group said it too was targeted by “whaling” fraud. In a blogpost the company said emails had been sent from a gang that had registered the nccgrroup.com domain that has one more “r” in it than their actual domain.
The email went to a senior member of the company’s finance team asking them to oversee a payment for a “professional service expense”.
Ollie Whitehouse from the NCC Group said it was an “agile and potentially viable” attack that was caught by the firm’s internal controls.
Ben Johnson, chief security strategist at Bit 9, said the scams were widespread and the gangs behind them targeted both large and small companies.
“It’s becoming a big problem,” he said, “especially for small companies that do not have the bodies to look into all the emails.
“The bad guys might only be after $100,000, but for a smaller company that’s a lot of money.”
Source: http://www.bbc.co.uk/
