Michigan Investment Firm Loses $495,000 to Business Email Compromise Scam

An investment firm in Troy, Michigan is the latest victim of a massive Business Email Compromise scam that stole nearly half a million dollars after one of the company’s employees was fooled into transferring the money to a Hong Kong bank account.

Troy’s police department received the report from Pomeroy Investment Corporation on April 18, which involved one of the firm’s employees wiring $495,000 to a bank in Hong Kong after receiving an email request that purportedly came from a co-worker.

“Previously, it was typical for company employees to communicate by email and to make transfers of funds—even overseas,” Troy Police Sgt. Meghan Lehman told The Detroit News. “But in this case, someone hacked the account of the sender requesting the funds.” It was only eight days after the transaction that the company determined the email as fake and realized they had been scammed.

[Read: What is Business Email Compromise?]

Pomeroy Investment Corp. is just one of a rising number of companies that have been victims of business email comprise (BEC) schemes. Last February, The Scoular Company, a commodities trader based in Omaha, Nebraska, lost $17.2 million when one of its executives wired the money in installments to a bank in China after receiving emails instructing him to do so. Even companies such as Snapchat, Seagate and Mansueto Ventures fell to similar, targeted scams that exposed their employees’ payroll and tax information.

In one of their announcements, the FBI has observed an alarming 270% increase in reported losses and victims of BEC scams since January 2015. The agency also reported receiving complaints from 17,642 victims from October 2013 to February 2016, costing businesses $2.4 billion in losses.

BEC is a sophisticated scam that targets employees, executives and businesses known to engage with foreign companies and perform wire transfers regularly. It is carried out by compromising email accounts through social engineering or other intrusion techniques to conduct unauthorized fund transfers. In cases like Pomeroy’s, the scams succeeded because they combined elements to create urgency and legitimacy: they seemingly came from a trusted source and email domain, and sent to the logical recipients. They were even carefully designed to fool the recipient into believing that it came from a known sender—usually a CEO, high-level executive or manager.

[Read: How to defend against business email compromise]

The FBI’s advisory on these schemes is for businesses to create detection systems that can flag emails with domain names and extensions similar to the company’s. Adopting two-factor authentication and establishing communication channels to verify significant transactions is recommended. Businesses are also advised to exercise restraint when publishing employee activity online, such as on company website or social media, as the scammers can use these to get more information for their attacks.