Cyber-criminals are hacking into corporate computer systems and using the public profiles of top executives to fine-tune email scams that are duping Canadians out of hundreds of millions of dollars each year, a CBC News investigation has discovered.
"It came on the scene in a massive way, from virtually nothing to $19 million in 2014" in losses reported, said Daniel Williams of the Canadian Anti-Fraud Centre, a federal government agency.
He also says that research by the CAFC and police suggests that less than three per cent of these email scams ever gets reported, meaning the incidents and the losses are probably much higher.
"Most probably in the range of $500 million to $1 billion," Williams says. "It's big, big money. It's very organized, very sophisticated crime groups with a lot of resources putting a lot of effort ... really on an industrial scale."
- 3 charged for hacking in largest data theft in U.S. financial history
- Justice Canada employees duped en masse by fake email scam
- Tax scam targeting Canadians with IRS threats
Police and security officials warn that among the newer, more sophisticated tricks criminals have learned is how to customize forged emails by using insider information and the names of CEOs and accounting staff to pull off increasingly convincing scams.
These criminals are also netting larger and larger payouts by targeting financial industries, law offices and medium-sized businesses with malicious software that can freeze computer hard drives and hold a company's data for ransom.
"It was just a regular email from a co-worker, and with a voicemail attachment. So I proceeded to click," one woman told CBC News about her experience at a mid-sized investment firm in downtown Toronto.
Her computer froze immediately after clicking the attachment.
A message then popped up declaring her computer had been frozen. All of her data and client files were locked and encrypted by hackers using a sophisticated code, and she was told they would be destroyed unless she quickly paid a ransom of approximately $800.
"It's terrible. It's a terrible feeling and you think 'how could this happen to me?'" she recalled. "I thought I was pretty on the ball and knew what not to do, and I fell for it."
CBC agreed not to identify her or her company. For many businesses victimized by cybercrime, the fear is that they will lose customers if they speak openly about a security breach.
Her boss at first wanted to call in police. But after consulting with her firm's IT specialists, the company decided to pay off the ransom through an untraceable internet currency.
"We proceeded to order bitcoins, and get them paid off. Then, we started seeing our files come through," she recalled.
The $800 may seem like a small ransom, but Williams at CAFC, says it is just enough that people agree to pay.
He estimates thousands of Canadians are hit each year, collectively paying out millions in hopes of unlocking and regaining access to their computer data.
"The criminals wouldn't be putting out this malware infecting people's computers if it wasn't paying off for them," he says. "They do not waste their time."
In the U.S., the FBI has a centralized Internet Crime Complaints Centre dedicated exclusively to tracking cybercrimes. It logged more than 1,400 complaints of ransomware attacks in the final six months of last year alone.
"It's very common … and it is hitting everyone," said Jason Brown, a special agent in cyber-intelligence with the U.S Secret Service, during a recent conference in Toronto.
"It's hitting personal computers. It's hitting large corporate networks. It's hitting state and local government machines," Brown told CBC News. "And, honestly, we really don't have a good answer for it right now."
While police in Canada do not openly advise companies to pay ransoms, investigators concede businesses may have few options if their frozen computer files are not backed up.
Bogus 'CEO emails'
Canadian business are also suffering much bigger losses through sophisticated email scams in which crooks pose as corporate CEOs or suppliers.
Derrick Webber of CGI, a global cyber-security firm based in Ottawa, says scam artists are moving away from sending out spam emails to thousands of people at once in hopes of netting, or "phishing," a few more select victims.
"Now they're very targeted. They're doing their homework. They know exactly who you are when they send you the message," Webber told CBC News.
He says one of the most successful business email scams is known as the "CEO scam" in which a criminal poses as the company boss using a fake or hacked email account.
The "boss" writes directly to an employee in the accounting department to arrange an urgent transfer of funds.
"It might come on a Friday afternoon, just before everyone goes home, and it says 'I need this done right away, I need you to pay this invoice,'" says Webber who has helped clients investigate after they have been duped.
"The invoice, a fake invoice, will be attached and it will be for some small amount of money, it'll be $10,000, $20,000. It will look just like the CEO's regular email, sent directly to someone in accounting, and the person will think 'Oh, well, I've got to do this right now, and I want to go home' and they'll pay it.
"Of course the money goes overseas to the attacker," laments Webber. It's "a quick and easy way to steal from that company."
The supplier swindle
A second version of these email scams involves what the Canadian Anti-Fraud Centre calls the "supplier swindle."
Crooks, armed with insider information, email a company pretending to be a supplier. Again, they use a similar, or hacked email address to try to establish their bona fides.
The email instructs company accountants that future payments on outstanding invoices should be re-directed to a new bank account. Many fall for it and transfer the money to the crooks' accounts.
A third variety of the scam, which is being tracked by the CAFC, is the "financial industry wire fraud."
In this version, hackers compromise someone's computer and email account. Posing as that person, the hacker then sends instructions to that individual's bank or investment broker to have money transferred from "their" account to a foreign bank.
Together, these scams cost Canadian businesses and banking institutions millions upon millions of dollars a year.
But no one knows for sure how widespread the scams are — or the losses — because the CAFC relies on voluntary reporting by the public, and Canada has no central agency involving banks, police and cyber-security firms dedicated to tracking and coordinating investigation of cybercrime.
In the U.S., where the FBI's ICCC collects cybercrime reports and then helps refer investigations to appropriate agencies, officials have documented 2,417 victims of these corporate email scams in 2014, with total reported losses of $226 million US.
But police around the world are stymied by the growing sophistication of these cons and their ever-changing technology, not to mention the global nature of the crimes, which leave local police forces largely powerless to take action.
"They're not amateurs! These are professional organizations now," Webber warns. "The whole picture of the kid in his mother's basement, that's not true anymore. These are professional organizations, it's organized crime, and they're very, very good at what they do. And law enforcement and other defenders, we are playing catch-up."