WASHINGTON (AFP) - An e-mail scam which targets businesses with bogus invoices has netted more than US$214 million (S$285 million) from victims in 45 countries in just over one year, an FBI task force said Thursday.
The Internet Crime Complaint Centre, a joint effort of the Federal Bureau of Investigation and the non-profit National White Collar Crime Centre, said the losses were calculated from Oct 1, 2013 to Dec 1, 2014.
In the scheme, fake invoices are delivered to businesses which deal with overseas suppliers, asking for payment by wire transfer.
"The fraudulent wire transfer payments sent to foreign banks may be transferred several times but are quickly dispersed," the task force said in a statement.
"Asian banks, located in China and Hong Kong, are the most commonly reported ending destination for these fraudulent transfers."
The scam has claimed 1,198 US victims and 928 in other countries, according to the statement.
US firms have lost more than US$179 million of the total.
The FBI "believes the number of victims and the total dollar loss will continue to increase," the statement said.
In one version of the scheme, a business which works with overseas supplier is contacted by phone, fax or e-mail asking for payment.
The e-mails are "spoofed" to look as if they came from the legitimate supplier. Phone and fax requests also appear genuine.
In another version, e-mail accounts of high-level executives are compromised to allow the criminals to request a wire transfer, often including instructions to "urgently send" funds.
A third version of the scheme involves the hacking of an employee's e-mail account, which then sends out bogus invoices to vendors or suppliers.
The FBI task force said vulnerable businesses should avoid using free Web-based e-mails for official accounts and to exercise caution about posting company information on websites and social media.
The group also suggests additional security steps such as two-step verification or digital signatures.
"Always verify via other channels that you are still communicating with your legitimate business partner," the statement said.