Fraudsters are using clever impersonation techniques to siphon millions from unprotected businesses
When Keith McMurtry, corporate controller of Scoular, a 124-year-old US grain-trading and storage company, was asked by his chief executive to wire $17.2m to an offshore bank account, he did not question it.
Chuck Elsea told Mr McMurtry in a top-secret email that Scoular was in talks to acquire a Chinese company. The chief executive instructed him to liaise with a lawyer at KPMG who would provide the wiring instructions to an account in China.
“We need the company to be funded properly and to show sufficient strength toward the Chinese. Keith, I will not forget your professionalism in this deal, and I will show you my appreciation very shortly,” Mr Elsea wrote in an email in June 2014. Over three transactions, Mr McMurtry transferred the $17.2m to an account in the name of Dadi Co at Shanghai Pudong Development Bank, according to an affidavit signed by an agent with the Federal Bureau of Investigation and filed in a Nebraska court.
The email was a fraud. Criminals impersonated Mr Elsea by creating a phoney email account in his name. They also set up fake email and phone numbers in the name of a real KPMG partner, who later said he had never heard of Scoular. US authorities have traced the emails and phone number to Germany, France, Israel and Russia.
Scoular, which is ranked 66th on Forbes’ list of the US’s largest private companies with revenues of $5.9bn, is one of several thousand companies that have fallen victim to a new type of fraud known as business email compromise schemes which have netted $800m in the past six months.
In January 2015, Xoom, an international money transfer company bought for $890m last July by PayPal, a pioneer in digital payments, said an employee in its finance department was duped into transferring $30.8m in corporate cash to an overseas account.
Ubiquiti Networks, a US manufacturer of wireless networking products, disclosed that its finance department was targeted last June by an imposter and transferred $46.7m to overseas accounts. After discovering the fraud the company began legal proceedings and has recovered $8.1m.
More than 12,000 businesses worldwide have been targeted by the scams, also known as CEO email schemes, between October 2013 and this month. The transactions have netted criminals $2bn, according to the Internet Crime Complaint Center, an intelligence and investigative group within the FBI that tracks computer crimes. Companies large and small, across 108 countries, have been hit and the threat is growing, law enforcement officials say.
“It has gotten quite out of hand,” says Mitchell Thompson, a supervisory special agent and head of the financial cyber crimes task force in the FBI’s New York office.
The criminals are “becoming more brash”, he says, by introducing third parties, such as law firms and consultants, to carry out the fraud. They have also become more sophisticated about how they troll potential victims.
“They’re using social media a lot against us. They might send a spam email intentionally to see that the executive is out of the office, [making] it prime time to target. They might look on Facebook and see that [the chief executive is] travelling to Europe or Australia so they know you’re in the air for a certain amount of time” and have a window to strike, Mr Thompson says.
Tricking people using the internet to steal money is hardly new. There have been criminal groups taking advantage of users of dating websites and fundraisers for disasters or terrorist attacks. A decade ago authorities were flooded with complaints of bogus Nigerian email scams and false lottery winners.
Criminals use a variety of tactics. Sometimes they gain access to executives’ emails by hacking into the accounts using phishing emails. The accounts of chief executives can also be spoofed by changing a letter or replacing a company’s official email service with a Gmail account. The phoney account created to mimic the KPMG lawyer used the suffix @kpmg-office.com, a fake address convincing enough to trick someone who is not checking carefully.
The criminals usually impersonate the executive and order the transfer, often through a second account they secretly control, such as the one said to belong to the KPMG lawyer. The money is sent to accounts in Asia or Africa, where it is harder for authorities to recover. By the time the company realises it has been duped, authorities say, the money has long gone.
Mr McMurtry told the FBI that he was not suspicious of the transfers since Scoular was discussing an expansion in China and he had been working on an annual audit with KPMG, according to the FBI affidavit. Mr McMurtry, who is no longer with Scoular, did not respond to requests for comment. Scoular also declined to speak.
The scam began simply enough. Mr McMurtry received an email purporting to be from Mr Elsea. “I have assigned you to manage file FT-809,” the bogus email said. “This is a strictly confidential operation, which takes priority over other tasks. Have you already been contacted by Rodney Lawrence [the KPMG lawyer]?” It went on: “This is very sensitive, so please only communicate with me through this email, in order for us not to infringe SEC regulations.”
The following day “Mr Elsea” sent another email stating that the transfer was urgent and he should “proceed asap with the wire to the same beneficiary and bank account as yesterday”.