Total losses caused by Business Email Compromise (BEC), a sophisticated scam targeting businesses working with foreign suppliers and businesses that regularly pay by wire transfer, have grown 13-fold since January in identified exposed losses, reaching over $3 billion, FBI says.
The scam has been reported by victims in all 50 states and in 100 countries. Reports indicate that fraudulent transfers have been sent to 79 countries, mostly to Asian banks in China and Hong Kong.
The BEC scam claimed 22,143 domestic and international victims, and a combined exposed dollar loss of $3,086,250,090, which includes actual and attempted loss.
Victims range from small businesses to large corporations and deal in a wide variety of goods and services, indicating a specific sector does not seem to be targeted, according to federal reports.
“It is largely unknown how victims are selected; however, the subjects monitor and study their selected victims using social engineering techniques prior to initiating the BEC scam”, the FBI says. “The subjects are able to accurately identify the individuals and protocols necessary to perform wire transfers within a specific business environment. Victims may also first receive “phishing” e-mails requesting additional details regarding the business or individual being targeted (name, travel dates, etc.).”
“Some individuals reported being a victim of various Scareware or Ransomware cyber intrusions immediately preceding a BEC incident. These intrusions can initially be facilitated through a phishing scam in which a victim receives an e-mail from a seemingly legitimate source that contains a malicious link. The victim clicks on the link, and it downloads malware, allowing the actor(s) unfettered access to the victim’s data, including passwords or financial account information.”
The BEC scam is linked to other forms of fraud, including romance, lottery, employment and rental scams. According to the FBI, the victims are usually US-based (from October 2013 to May 2016, 14,032 from the total of 15,668 victims were US victims) and may be recruited as unwitting money mules. The mules receive the fraudulent funds in their personal accounts and are then directed by the subject to quickly transfer the funds to another bank account, usually outside the US. Upon direction, mules may open bank accounts or shell corporations to further the fraud scheme.
The FBI has seen five frequent scenarios attackers use during a BEC scam. In the latest one, fraudulent requests are sent using a business executive’s compromised e-mail. The entity in the business organization responsible for W-2s or maintaining PII, such as the human resources department, bookkeeping, or auditing section, has frequently been identified as the targeted recipient of the fraudulent request for W-2 and/or PII. Some of these incidents are isolated and some occur before a fraudulent wire transfer request. Victims report they have fallen for this new BEC scenario, even if they were able to successfully identify and avoid the traditional BEC incident. The data theft scenario (Scenario 5) of the BEC first appeared just prior to the 2016 tax season.
Other scenarios include a business working with a foreign supplier, a business [executive] receiving or initiating a request for a wire transfer, business contacts receiving fraudulent correspondence through compromised e-mail and business executive and attorney impersonation.
Here is a short list of the FBI recommendations to avoid BEC scams:
- Avoid free web-based e-mail accounts: Establish a company domain name and use it to establish company e-mail accounts in lieu of free, web-based accounts.
- Be careful what is posted to social media and company websites, especially job duties/descriptions, hierarchal information and out of office details.
- Be suspicious of requests for secrecy or pressure to take action quickly.
- Consider additional IT and financial security procedures, including the implementation of a two-step verification process. For example -
- Out of Band Communication: Establish other communication channels, such as telephone calls, to verify significant transactions. Arrange this second-factor authentication early in the relationship and outside the e-mail environment to avoid interception by a hacker.
- Digital Signatures: Both entities on each side of a transaction should use digital signatures. This will not work with web-based e-mail accounts. Additionally, some countries ban or limit the use of encryption.
- Delete Spam: Immediately report and delete unsolicited e-mail (spam) from unknown parties. DO NOT open spam e-mail, click on links in the e-mail, or open attachments. These often contain malware that will give subjects access to your computer system.
- Forward vs. Reply: Do not use the “Reply” option to respond to business e-mails. Instead, use the “Forward” option and either type in the correct e-mail address or select it from the e-mail address book to ensure the intended recipient’s correct e-mail address is used.
- Consider implementing Two Factor Authentication (TFA) for corporate e-mail accounts. TFA mitigates the threat of a subject gaining access to an employee’s e-mail account through a compromised password by requiring two pieces of information to login: something you know (a password) and something you have (such as a dynamic PIN or code).