“Man-in-the-e-mail” Scam

FBI’s Seattle division has warned of a new kind of attack nicknamed “man-in-the-e-mail” with reference to the more well known “man-in-the-middle” attacks. According to an FBI notification, this attack has affected 3 companies in the Seattle area of Washington.

The modus-operandi has been to employ sophisticated phishing techniques to compromise the accounts of legitimate business partners. Once this compromise has taken place, one side of the partnership is fooled into believing that emails originating from the attacker is indeed from the other side of the partnership. In the Seattle cases, the attackers impersonated legitimate suppliers from China and asked the Seattle businesses to transfer funds to the attacker’s bank accounts. The Seattle businesses also did so, thinking that they were transferring money to their suppliers in China.

FBI has offered some safety precautions that businesses might take to protect them against this growing menace:

  • Establish other communication channels, such as telephone calls, to verify significant transactions. Arrange this second-factor authentication early in the relationship and outside the e-mail environment to avoid interception by a hacker.
  • Utilize digital signatures in e-mail accounts. Be aware that this will not work with web-based e-mail accounts, and some countries ban or limit the use of encryption.
  • Avoid free, web-based e-mail. Establish a company website domain and use it to establish company e-mail accounts in lieu of free, web-based accounts.
  • Do not use the “Reply” option to respond to any business e-mails. Instead, use the “Forward” option and either type in the correct e-mail address or select it from the e-mail address book to ensure the real e-mail address is used.
  • Delete spam: Immediately delete unsolicited e-mail (spam) from unknown parties. Do not open spam e-mail, click on links in the e-mail, or open attachments.
  • Beware of sudden changes in business practices. For example, if suddenly asked to contact a representative at their personal e-mail address when all previous official correspondencehas been on a company e-mail, verify via other channels that you are still communicating with your legitimate business partner.

If you or your business has been targeted by the man-in-the-e-mail fraud, report it to the Internet Crime Complaint Center (IC3) at www.ic3.gov. The following information is helpful to report:

Header information from e-mail messages

  • Identifiers for the perpetrator (e.g., name, website, bank account, e-mail addresses)
  • Details on how, why, and when you believe you were defrauded
  • Actual and attempted loss amounts
  • Other relevant information you believe is necessary to support your complaint
  • Reference to the man-in-the-e-mail fraud

Filing a complaint through IC3’s website allows analysts from the FBI to identify leads and patterns from the hundreds of complaints that are received daily. The sheer volume of complaints allows that information to come into view among disparate pieces, which can lead to stronger cases and help zero-in on the major sources of criminal activity. The IC3 then refers the complaints, along with their analyses, to the relevant law enforcement agency for follow-up.