The secret to comedy, according to the old joke, is timing. The same is true of cybercrime.
Mark learned this the hard way in 2017. He runs a real estate company in Seattle and asked us not to include his last name because of the possible repercussions for his business.
"The idea that someone was effectively able to dupe you ... is embarrassing," he says. "We're still kind of scratching our head over how it happened."It started when someone hacked into his email conversation with a business partner. But the hackers didn't take over the email accounts. Instead, they lurked, monitoring the conversation and waiting for an opportunity.
When Mark and his partner mentioned a $50,000 disbursement owed to the partner, the scammers made their move.
"They were able to insert their own wiring instructions," he says. Pretending to be Mark's partner, they asked him to send the money to a bank account they controlled.
"The cadence and the timing and the email was so normal that it wasn't suspicious at all. It was just like we were continuing to have a conversation, but I just wasn't having it with the person I thought I was," Mark says.
He didn't realize what had happened until his partner said he'd never gotten the money. "Oh, it was just a cold sweat," he says.
By the time they alerted the bank, the $50,000 was long gone, transferred overseas.
It turned out Mark was on the vanguard of a growing wave of something called "business email compromise," or BEC. It's a category of scam that uses phony emails to trick employees at companies to wire money to the wrong accounts. The FBI's Internet Crime Complaint Center says reported BEC amounted to more than $1.2 billion in 2018, nearly triple the figure in 2016. (...)
"What we've seen in 2019 is that the wave that's breaking is primarily focused around social engineering," says Patrick Peterson, CEO of Agari, a company that specializes in protecting corporate email systems. "Social engineering" is hacker-speak for scams that rely less on technical tricks and more on taking advantage of human vulnerabilities.
"It's not so much having the most sophisticated, evil technology. It's using our own trust and desire to communicate with others against us," Peterson says.
In the past, scammers have pretended to be business partners and CEOs, urging employees to send money for an urgent matter. But lately there has been a trend toward what Agari calls "vendor email compromise" — scammers pretending to be part of a company's supply chain.
by Martin Kaste, NPR | Read more:
Image: Deborah Lee
