This article relates to fraudsters’ fake emails posing as legitimate vendor communications.
The FBI estimates $2.3 billion globally has been lost in the past two and half years.
(Reuters) - An unidentified American company was defrauded last year out of nearly $100 million by individuals who created a fake email address in order to pose as one of its legitimate vendors, U.S. authorities said on Thursday.
The details of the scheme came as the U.S. government filed a civil forfeiture lawsuit in federal court in Manhattan seeking to recover about $25 million in proceeds derived from the fraud held in at least 20 bank accounts around the world.
Nearly $74 million has been recovered and returned to the American company, authorities said.
The case appeared to be the latest, and one of the largest, examples of a “business email compromise,” a growing type of cyber scam in which fraudsters target businesses that work with foreign suppliers or regularly perform wire transfers.
The FBI said in an alert issued to companies last week that businesses had suffered $2.3 billion globally in losses from email wire-transfer scams from October 2013 to February of this year.
The complaint filed on Thursday “appears to be the largest email scam that I’ve seen,” said Tom Brown, a former Manhattan federal prosecutor who is now managing director of Berkeley Research Group’s cyber security practice.
The scheme at issue in Thursday’s lawsuit took place from August to September and was identified after a Cyprus-based bank identified suspicious transfers, authorities said.
According to the lawsuit, the perpetrators carried out the scam by creating a fake email address that resembled that of one of the company’s vendors in Asia.
The perpetrators then posed as a vendor while communicating with a professional services company that was hired to handle the details and logistics of vendor payments for the American corporation, the lawsuit said.
The fraud caused the American firm to send $98.9 million meant for the actual vendor to an account at Eurobank Cyprus Ltd, which discovered the fraud, the lawsuit said.
Eurobank, which did not respond to an email seeking comment, on its own initiative in September restrained nearly $74 million of the funds.
The remaining $25 million was laundered through other accounts in locations including Cyprus, Latvia, Hungary, Estonia, Lithuania, Slovakia, and Hong Kong, authorities said.
Foreign governments at the request of U.S. authorities have restrained 20 accounts worldwide that received portions of the remaining stolen funds, which are now the subject of the lawsuit, authorities said.
Originally seen on Fortune.com