Losses from cybercrime totaled a staggering $3.5 billion in the U.S. alone, and BEC scams accounted for nearly half, according to the 2019 Internet Crime Report released by the Federal Bureau of Investigation.
A 2020 survey by the Association for Financial Professionals (AFP) Payments Fraud and Control Survey shows that 75% of all organizations suffered monetary losses following BEC attacks in 2019. While most respondents confirm the implementation of internal strategies to help workers better understand and efficiently spot BEC scams, financial leaders of more than 50% of businesses have encountered difficulties enforcing BEC controls.
Cybercriminals started leveraging the $2 trillion Economic Stimulus Payments well before the mid-April rollout of the highly anticipated payments to the American public, and law enforcement agencies are once again on alert, issuing warnings about fraud attempts surrounding SBA loans.
The public health and economic impacts of COVID-19 continue to fuel scam artists and fraudsters bent on defrauding Americans of their government aid packages stipulated in The Coronavirus Aid, Relief, and Economic Security Act (CARES Act). On top of providing economic assistance to American workers and families, the government program gives small business access to resources of $349 billion to maintain job retention or settle unpaid expenses.
A malicious campaign using carefully designed phishing emails targeting SBA applicants is currently underway, and the FBI expects a rise in business email compromise (BEC) scams. Based on recent trends, and with more than 1,200 complaints of BEC fraud incidents reported to the FBI since March 30, numbers are anticipated to rise considerably.
Last month, the US Small Business Administration (SBA) disclosed a security incident regarding the online portal used by business owners to apply for relief under the Economic Injury Disaster Loan Program. The suspected data breach exposed the personal data of nearly 8000 business owners, including names, Social Security numbers, addresses, birth dates, email addresses, phone numbers, citizenship statuses and insurance information.
While the SBA is currently unable to accept new applications for the Economic Injury Disaster Loan, this will not hamper the malicious activity of cybercriminals using the SBA’s name claiming to offer relief for small businesses.
With a wealth of personal identifiable information on hand, criminals can easily target specific businesses and workers with spear phishing campaigns in an attempt to install malware and gain additional sensitive information such as passwords, account information or credit card information.