It’s 4:20 p.m. on Friday. You’re looking forward to meeting your friends soon for happy hour at the local bar. Your boss is on vacation, and you’re caught up for the week. All is well. As you take one last look at your email, you see a message has just arrived from one of your suppliers – marked URGENT. The supplier is ranting about why you didn’t send payment for last month’s invoice to the right bank account. They’ve contacted your boss, who they say was irate at being disturbed while in Madrid on vacation, and who told them to contact you personally for immediate resolution. They helpfully provide the correct bank routing information and demand the payment be made today. Your authority for wire transfers ($1M) will easily cover the request for $250,000, with change. The invoice amount sounds about right, you know the supplier, your boss is already upset, it’s Friday, and so you wire the funds.
Of course, you—the reader—already know the ending of this story. The email was fraudulent, the company is now out a quarter of a million dollars, and you may be out of a job. Yet this and similar scenarios play out every day, representing a 2,370% increase in the last 18 months in identified exposed losses resulting from business e-mail compromise targeting small, medium, and large businesses.