An unidentified American company was defrauded last year out of nearly $100 million by individuals who created a fake email address to pose as one of its legitimate vendors, US authorities said on Thursday.
The details of the scheme came to light, as the US government filed a civil forfeiture lawsuit in federal court in Manhattan seeking to recover about $25 million in proceeds derived from the fraud held in at least 20 bank accounts around the world.
Nearly $74 million have been recovered and returned to the American company, authorities were quoted as saying by Reuters.
The case appeared to be the latest, and one of the largest, examples of a "business email compromise," a growing type of cyber scam in which fraudsters target businesses that work with foreign suppliers or regularly perform wire transfers.
The FBI said in an alert issued to companies last week that businesses had suffered $2.3 billion globally in losses from email wire-transfer scams from October 2013 to February of this year.
The complaint filed on Thursday "appears to be the largest email scam that I've seen," said Tom Brown, a former Manhattan federal prosecutor who is now managing director of Berkeley Research Group's cyber security practice.
The scheme at issue in Thursday's lawsuit took place from August to September and was identified after a Cyprus-based bank identified suspicious transfers, authorities said. According to the lawsuit, the perpetrators carried out the scam by creating a fake email address that resembled one of the company's vendors in Asia.
The perpetrators then posed as a vendor while communicating with a professional services company that was hired to handle the details and logistics of vendor payments for the American corporation, the lawsuit said.
The fraud caused the American firm to send $98.9 million meant for the actual vendor to an account at Eurobank Cyprus Ltd, which discovered the fraud, the lawsuit said.
Eurobank, which did not respond to an email seeking comment, on its own initiative in September restrained nearly $74 million of the funds. The remaining $25 million were laundered through other accounts in locations, including Cyprus, Latvia, Hungary, Estonia, Lithuania, Slovakia and Hong Kong, authorities said. Foreign governments at the request of US authorities have restrained 20 accounts worldwide, which received portions of the remaining stolen funds that are now the subject of the lawsuit, authorities said.