Companies in Bellevue, Tukwila, and Seattle, warns the agency, "were led to believe they were sending money to an established supply partner in China. In reality, fraudsters intercepted legitimate emails between the purchasing and supply companies and then spoofed subsequent emails impersonating each company to the other."
The spoofed emails claimed that an internal audit required the payment funds to be sent to a different bank account belonging to the fraudsters rather than the suppliers. In the three cases in question, a total of approximately $1.65 million was stolen. In these particular cases, analysis of the spoofed emails suggested that some had originated in Nigeria and South Africa.
The FBI warning points out that either or both parties to a transaction can lose out in a man-in-the-email attack. Payment can be diverted to a different account, or the goods could be diverted to a different delivery address: the buyer can pay and never receive the goods, or the seller can ship the goods and never receive payment.
In reality, some simple precautions can prevent a man-in-the-e-mail scam. Use out-of-band two factor authentication on transactions; that is, use separate telephone conversations to confirm transactions. "Arrange this second-factor authentication early in the relationship and outside the email environment to avoid interception by a hacker", suggests the FBI.
Use digital signatures in email accounts, but, "Be aware that this will not work with web-based e-mail accounts, and some countries ban or limit the use of encryption." In fact, don't use webmail for significant business purposes.
The FBI also recommends the use of good email practice. Don't use the 'Reply' button. "Instead", it suggests, "use the 'Forward' option and either type in the correct email address or select it from the email address book to ensure the real email address is used." And, of course, delete spam immediately and never click on any link in unexpected emails.
But perhaps above all, be a bit suspicious of sudden changes in business practices. "For example," warns the FBI, "if suddenly asked to contact a representative at their personal e-mail address when all previous official correspondence has been on a company email, verify via other channels that you are still communicating with your legitimate business partner."
Finally, the agency also requests that any company that has been or suspects that it may be the victim of such a fraud should report it to the Internet Crime Complaint Center (IC3). The more complaints that are made, the easier it is for patterns of fraud to be detected and investigated.