Could one keystroke cost you $200,000? That happened to a homebuyer who didn't spot a misspelling in a fraudulent email address
Call it the Case of the $200,000 Typo.
A cybercriminal created an email address that was one subtle keystroke different from the email address of a real estate title company. The fraudster then emailed a homebuyer from that similar email address – example@ABCtltle.com instead of the legitimate example@ABCtitle.com. (See the tiny difference in the word title?) Accustomed to receiving emails from the title company, the homebuyer followed instructions in the email and wired the down payment for a house – to the criminal.
“The funds were quickly routed out of the country before the victim realized it, and before they could report it to us,” says FBI Special Agent Kelsey Harris. “The loss in that incident was close to $200,000.”
Would you have caught that typo? Many people do not. In 2018, the FBI received 20,373 complaints of criminal email compromises with losses of over $1.2 billion, making it the most costly form of cybercrime. As in this case, the scam is frequently carried out when a criminal compromises legitimate business email accounts and then emails consumers or businesses to steal money or data. The business emails that are compromised are used to commit crimes – sometimes on an enormous scale.
A gang of Chinese fraudsters recently stole $18.6 million from an Italian company by convincing local managers in India that the money was needed for an acquisition, according to Indian police quoted in the Times of India. In another case, a group of online scammers generated a list of 50,000 top executives to target in their schemes, ZDNet reported.
Special Agent Harris said email compromise fraud has been the most expensive cybercrime for the past few years reported to the FBI’s Internet Crime Complaint Center. Most of the criminals in these cases are based outside the U.S., he said. “The criminals employ money mules here in the U.S. to open bank accounts to receive the fraudulent proceeds. The mules then wire the funds to the criminals.”
What consumers can do
In a case such as the typo, the FBI urges consumers to look closely at email addresses and all parts of a suspicious email. “Don’t just look at the title of an email and accept it at face value,” Harris says. “Study the actual email address.” Even an email that appears to legitimately ask you to make a payment could be a scam. Calling the company from a previous bill or a number on their website to verify what’s in the email is a good idea. If you think you may have been victimized in a BEC scheme, you can also file a complaint with the IC3.
What businesses can do
The FBI suggests businesses take these approaches:
- Create intrusion detection system rules that flag e-mails with extensions that are similar to company e-mail. For example, legitimate e-mail of abc_company.com would flag fraudulent e-mail of abc-company.com.
- Create an e-mail rule to flag e-mail communications where the “reply” e-mail address is different from the “from” e-mail address shown.
- Verify changes in vendor payment location by adding additional two-factor authentication such as having secondary sign-off by company personnel.
- Confirm requests for transfers of funds by using phone verification as part of a two-factor authentication; use previously known numbers, not the numbers provided in the e-mail request.
- Carefully scrutinize all e-mail requests for transfer of funds to determine if the requests are out of the ordinary.
“The more resources companies invest in IT Security, the better off they have been,” Harris said.
Avast Email Security protects your business by filtering inbound, outbound, and internal email for spam and viruses, which are then removed and the messages indexed and encrypted. Emails that are sent un-encrypted can be automatically encrypted, re-routed, or blocked if they do not comply with the company’s encryption policy. Learn more here.