My client nearly lost $1.3 million in a wire transfer hack

We had a closing that almost didn't happen. My buyer received fake wire instructions that looked like it came from his closer at his title company. He was interviewed  by Channel  10 news regarding the experience

.

PEMBROKE PARK, Fla. - Local 10 viewer Freddie Laker nearly lost more than a million dollars, with just one click. When he realized hackers had intercepted a wire transfer during email communication with his title company, he was quick to act.

Laker was no stranger to tricks.

"I want to be clear. I was a hacker," Laker said. "I started hacking and that's what got me into technology."

But not even the former hacker -- now tech-savvy CEO -- is immune to sophisticated cyberthieves. Laker was in the process of buying his South Florida home when con artists were able to impersonate his title company and send him details to wire money.

"We had gotten a document from the title company. It was a PDF," Laker explained. "It had their logo at the top, their address, professional letterhead -- everything looked totally fine."

It was only after he sent the money, and his bank and title company were working to verify the account numbers, that he realized he had been conned.

"No one recognized these numbers," Laker said.

If it wasn't stopped soon, Laker said he was going to lose $1.3 million.

"My blood literally drained out of my face," he said.

The FBI calls it the BEC swindle.

Known as the Business E-Mail Compromise (BEC), this scam is the latest fraudulent behavior the FBI is warning about, one that could result in massive financial losses with just a click of your mouse.

"We believe that they were basically monitoring the email server, waiting for a transaction like mine where they knew that there was significant amounts of cash being moved in one go," Laker said. "And they were using a very simple trick where when you email someone, you can make it look like any email."

That's when he Called Christina, to get the word out about scams like this.

The BEC is sophisticated and becoming increasingly common, targeting businesses that regularly perform wire transfer payments.

The FBI said there has been a 1,300 percent increase in identified exposed losses related to this scam since the start of last year, with tens of thousands of people in the world with losses topping $3 billion.

From small businesses to large corporations, the BEC has popped up in all 50 states and 100 countries. According to the FBI, the swindlers will use whatever method is most commonly associated with their victim's normal business practices.

In another instance, the Fort Myers Housing Authority was duped out of more than $14,000 earlier this year in an email scam involving a wire transfer.

"The Russians and other Eastern European crime groups are super good at this stuff now," Miami-based cyber security expert Dave Aitel said. "They have moved really from hitting small government to hitting small to medium sized businesses."

According to Aitel, cyberthieves will operate on a system for a long time before they try to take money out of it.

"It is hard to prosecute. It is hard to reverse," Aitel said. "The Secret Service does a really good job of helping people track down people, but they can only do so much."

This year in Coral Springs, a business owner was scammed into transferring $450,000 to an account in China.

After receiving the email from someone he thought was his overseas business partner's lawyer, he was suspicious. An incident report from Coral Springs police said the man asked for confirmation from his colleague, and the hackers then posed as the business partner using his email address. The man sent the cash, and it has not been recovered.

Laker, however, is one lucky man. In his case, the bank was able to shut down the wire transfer while in progress. His $1.3 million was saved.

The takeaway: pairing email with verbal phone communication is a surefire way to verify account numbers and emails.

"It is just too easy to take over digital communications and assume you are talking to the right person and you are not," Laker said.

HOW TO AVOID IT

The FBI recommends that business owners avoid using free web-based email accounts and be suspicious of requests for secrecy or pressure to take action quickly.

It's also important to consider additional IT and financial security procedures, including the implementation of a two-step verification process.

[RELATED: FBI June alert]

Beware of sudden, significant changes in business practices, like a switch to personal email from usual business email correspondence, which could be signs of fraudulent activity.

IF YOU'RE A VICTIM

If you think you are victim of BEC, call the FBI immediately. Working with the U.S. Treasury Department, they might be able to help return or freeze the funds.

Be sure to contact your bank as soon as possible -- it's the move that helped save our viewer.

You can also ask your bank to contact the financial institution where the fraudulent transfer was sent.

Victims should also file a complaint, regardless of dollar loss or timing, at www.IC3.gov.

When contacting law enforcement or filing a complaint with the IC3, it is important to identify your incident as “BEC,” provide a brief description of the incident, and consider providing the following financial information:

• Originating name
• Originating location
• Originating bank name
• Originating bank account number
• Recipient name
• Recipient bank name
• Recipient bank account number:
• Recipient bank location (if available)
• Intermediary bank name (if available)
• SWIFT number
• Date
• Amount of transaction
• Additional information (if available), including “FFC”- For Further Credit; “FAV” – In Favor Of

FILING A COMPLAINT WITH IC3

Victims should always file a complaint regardless of dollar loss or timing of incident at www.IC3.gov, and, in addition to the financial information, provide the following descriptors:

• IP and/or email address of fraudulent email
• Date and time of incidents
• Incorrectly formatted invoices or letterheads
• Requests for secrecy or immediate action
• Unusual timing, requests, or wording of the fraudulent phone calls or emails
• Phone numbers of the fraudulent phone calls
• Description of any phone contact to include frequency and timing of calls
• Foreign accents of the callers
• Poorly worded or grammatically incorrect emails
• Reports of any previous email phishing activity

Call Christina team member Sara Girard contributed to this story.