Alutiiq theft illustrates rise of internet imposter fraud
Momentary lapses in security protocol can be costly, and even well-worn scams still have staying power for fraudsters.
Native corporation Afognak Inc. fell prey to a web-based fraud attack, resulting in $3.8 million lost to a foreign account.
CEO Greg Hambright confirmed in an April 30 shareholder letter that subsidiary company Alutiiq LLC transferred the $3.8 million dollars to an unknown account. A message from Hambright’s email requested that Alutiiq’s finance controller make a transaction with an “attorney,” who phoned him moments later and requested an immediate and confidential transfer of the funds.
The lost money was painfully real, but the email was an Eastern European sham and the “attorney” a confidence man.
This type of cyber-assisted crime, called imposter fraud or business e-mail compromise, has been a mainstay of the mid-level conman’s repertoire since the internet’s mainstream explosion. Typically, imposter fraud targets smaller transactions in the five-figure range, but occasionally nets larger gains like the Alutiiq attack.
Financial fraud has increased in the U.S. as technology makes it easier to impersonate. According to statistics from the Internet Crime Complaint Center, impostor fraud claimed 2,126 victims in 45 countries from October 2013 to December 2014, resulting in $215 million in losses. The Federal Trade Commission lists imposter scams as number three of the top 10 consumer complaints for 2014, with more than 276,000 complaints filed.
On the consumer end, imposters can impersonate the Internal Revenue Service or tech support companies to extort money transfers. On the business side, the impersonations are more often internal.
Treasury management sales consultant Jason Kim works with Wells Fargo to educate customers and business clients of the red flags and prevention methods for imposter fraud.
“The (Alutiiq attack) was an executive impersonation attack,” said Kim. “The other version is a vendor attack, where an attacker pretends to be a vendor looking for payment.”
Like the rest of the country, Kim said he has seen an uptick in reports of imposter fraud in Alaska, which could mean either that more attacks are happening or that clients have more education to identify them when they happen.
“Criminals are getting more savvy,” said Kim. “This isn’t an isolated incident, and you’re not immune just because you’re a smaller client.”
For internal imposter fraud like the type that attacked Alutiiq, Kim said the most effective preventative means are recognizing the signals and institutionalizing a host of simple protocols when dealing with financial transfer requests.
“When they impersonate a company executive’s email, typically the domain is off by one letter,” said Kim. “It’ll be ‘.co’ instead of ‘.com’ or something like that. Other red flags are requests to make payments, a change in writing style, payments to countries you’ve never made payments to, requests for secrecy, requests to remit payments to a personal beneficiary. Also, look at the logo or letterhead in the email to see if it’s blurry, like it’s been copied.”
Kim advocates setting up parameters and standard practices when dealing with any transfers to prevent fraud.
“We highly recommend having dual control,” said Kim. “One person initiates a wire, and another person reviews and requests permission to send. One of the best ways to avoid imposter fraud is to verify the requester to make sure the request is valid.”
DJ Summers can be reached at firstname.lastname@example.org.