back to article Yar, thar she blows: Corp-cash-stealing email whaling attacks now a $12.5bn industry

Business email accounts remain a lucrative way for scammers to get into companies and turn a quick buck. The FBI's Internet Crime Complaint Center (IC3) says that attacks using Business Email Compromise (stealing a legit business account and then using it to transfer funds out to criminals) incidents have exploded, with …

  1. DJO Silver badge

    Banks culpable?

    Is there any reason other than fraud or tax evasion for anonymous bank accounts to exist?

    If so a system of identity escrow wouldn't be impossible.

    Then make the banks directly responsible for any money fraudulently transferred where the account owners cannot be identified. That should clear the problem pretty much overnight.

    1. Version 1.0 Silver badge

      Re: Banks culpable?

      In other words, make it illegal for a bank to transfer money to any account that does not have a verified identity.

      1. Ken Moorhouse Silver badge

        Re: verified identity

        Verification of who is opening the account is only the first step.

        Ongoing traceability and verification of operators of that account is a problem.

    2. seron

      Re: Banks culpable?

      In the United States ( and the EU I think), in order to open a bank account, you have to show several forms of identification to prove identity. Additionally, banks are required to complete a Suspicious Activity Report' (SAR) for any strange transactions or behaviors. I think wiring in large amounts of money and then moving that money would qualify.

      I can't speak for Asia - or other countries, but I would think that there is some kind of verification or authentication system in place. Of course documents can be forged, but I don't think this is as easy or straightforward as it is being made out to be.

  2. Claptrap314 Silver badge

    Light at the end of the tunnel? Oncoming train.

    Not all governments are as enlightened as you appear to believe based on this post. Offshore & anonymous accounts are a way to dodge the control of oppressive governments as well.

    Or do you intend to outlaw cash like they did gold?

    1. DJO Silver badge

      Re: Light at the end of the tunnel? Oncoming train.

      Cash is fine, a moderate black market can actually stimulate an economy, this sort of fraud doesn't work with cash and only benefits the criminals (who may well spend some and inadvertently provide some local financial stimulus) and is detrimental to the wider economy.

      Anybody trying to anonymously move millions about is probably up to no good, possibly just tax evasion, maybe money laundering, quite likely proceeds of crime.

      Someone in a oppressive regime who has millions to move is probably a member of that regime, the general populace will use the cash economy hence your argument is largely spurious.

  3. Mayday
    Pirate

    Two factor of sorts can work here

    <<email received>>

    Give lots of $$$$ to Legit Business today please

    <<approach/ring boss>>

    Hey boss, I got your email, shall I give lots of $$$$ to Legit Business?

    <<boss>>

    yes/no

    FWIW - I cant think of a place I've worked where a simple email was enough to transfer funds or approve expenses. Most needed the boss types to login to some kind of online portal/system to approve. Of course this can be compromised too, but that's another matter.

    1. Ken Moorhouse Silver badge

      Re: Two factor of sorts can work here

      I don't do company on-line banking but I presume there must be some emulation of the way cheque signatures have traditionally been done.

      Cheque up to £x? One signature.

      Cheque over £x? Two signatures.

      In an on-line system the first person logs in and sets up the transaction. The second person authorises it. And in my view it has to be in that order - no emulation of pre-signing blank cheques allowed. If this facility is available then one thing is certain, judging by the scams, not enough companies are making use of it.

      1. Mayday

        Re: Two factor of sorts can work here

        "I don't do company on-line banking but I presume there must be some emulation of the way cheque signatures have traditionally been done.

        Cheque up to £x? One signature.

        Cheque over £x? Two signatures." etc

        In Aussie:

        I am, and have been for a number of years, on various sporting club committees. One time about 10 years ago an unscrupulous treasurer stole from us in this manner :/ Referred to the Police and dealt with of course.

        Now we have a facility similar to what you describe when two signatories must login to send the transaction and one to concur and confirm it. It works well.

    2. seron

      Re: Two factor of sorts can work here

      NEVER underestimate the 'lack of common sense' aka 'stupidity' of the average person. Just because you don't send money to the Nigerian Prince, doesn't mean other people won't continue to do so.

      Also, when you get a message at 4:30 on a Friday with an URGENT tag and a tight ass boss, some people panic and just do it without verification.

      1. Michael Wojcik Silver badge

        Re: Two factor of sorts can work here

        Just because you don't send money to the Nigerian Prince, doesn't mean other people won't continue to do so.

        Including just the sort of people who are targeted by whalling attacks. (And those are just two of the better-known cases from Michigan, which I picked because I vaguely remembered them from the local newspaper.)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021