According to a recent FBI report, the worldwide numbers for Business Email Compromise (BEC) crimes have reached a staggering new high. A total of 22,143 worldwide BEC victims have been reported since January 2015, totaling a stunning $3.1 billion in losses.
In the U.S. alone, there were 14,032 reported BEC crimes from October 2013 to May 2016, amounting to $931 million in losses. It's a growing epidemic in the business sector, with a majority of the crimes perpetuated against U.S. based businesses, regardless of size.
What exactly is BEC?
The FBI describes Business Email Compromise as "a sophisticated scam targeting businesses working with foreign suppliers and/or businesses that regularly perform wire transfer payments. The scam is carried out by compromising legitimate business email accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds."
Basically, a BEC scammer attempts to trick employees into sending money transfers by impersonating executive email accounts. These attacks are initiated either by social engineering tricks, email spoofing or malware, targeting upper management executives, accounting and HR departments. The emails appear so legitimate it's easy for people to get taken.
BEC scams range from simple fake invoice schemes to elaborate impersonations aimed to siphon money out to the cybercriminal's bank accounts, typically located within China or Hong Kong.
Methods vary, but it only takes one compromised email in a chain to deploy an attack. Common vectors are phishing scams, where an attachment or a link gets sent via email and if opened, keylogging malware is deployed discreetly to the victim's computer.
The cybercriminal, having access to email credentials, then cases the victim's business patterns, studying financial contacts and correspondence, gathering vital information to finally launch the scheme.
Attacks even have evolved to a point where the criminals monitor a target's social media account to case behavioral patterns. If you know anyone with a business or works in IT, it's important they are aware this is happening.
So how do we protect ourselves from this growing menace?
- Be vigilant with email communication. Check email addresses carefully, especially those coming from executives demanding financial transactions. A missing character on the address could spell the difference between safety and compromise.
- Think of using two-factor authentication for fund transfers and corporate email accounts. Use known phone numbers for verification and avoid displaying these phone numbers on email correspondence.
- Curate your social media feeds and avoid posting vital corporate workflow details.
- Be wary of email links and attachments. Scrutinize the link address before clicking and do not open attachments from untrusted email accounts.
- Regularly scan and protect your computer from malware, keyloggers and rootkits with trusted virus protection.
If you are a BEC victim, the FBI recommends that you contact your financial institution immediately so they could track and coordinate where the transfer was sent. Next, contact the FBI to report the crime and file a complaint with the Internet Crime Complaint Center (www.IC3.gov).