6 min read

Business Email Compromise Scams Have Netted $12.5 Billion, Says FBI

Graham Cluley

July 18, 2018

Business Email Compromise Scams Have Netted $12.5 Billion, Says FBI

The FBI is once again warning businesses of the serious dangers posed by business email compromise (BEC) scams, saying that losses globally have risen by 136% since December 2016.

Business email compromise works because we’re all too trusting of email.  Just because you receive an email which appears to come from your boss’s email account, doesn’t mean that your boss really sent it to you.

It’s perfectly possible that it’s someone who is forging your boss’s email address or – worse – has managed to compromise your boss’s email account in order to send you fraudulent messages, perhaps asking you to transfter funds into a bank account under a hacker’s control, or forward sensitive information.

Data from the Internet Crime Complaint Center (IC3) and international law enforcement agencies found that there have been 78,617 reported incidents and a jaw-dropping $12,536,948,299 exposed between October 2013 and May 2018.

For those of you finding it hard to count such a big number – that’s over 12.5 billion dollars.

The FBI’s BEC warning shines a spotlight on one particularly commonly targeted industry: the real estate sector.

“Victims most often report a spoofed e-mail being sent or received on behalf of one of these real estate transaction participants with instructions directing the recipient to change the payment type and/or payment location to a fraudulent account. The funds are usually directed to a fraudulent domestic account which quickly disperse through cash or check withdrawals. The funds may also be transferred to a secondary fraudulent domestic or international account. Funds sent to domestic accounts are often depleted rapidly making recovery difficult.”


Between 2015 and 2017 there was an over 1100% rise in the number of BEC victims related to real estate transactions, and an almost 2200% rise in the reported monetary loss.  Things are clearly getting worse, with May 2018 seeing the highest number of real estate victims since 2015.

For this reason, it is essential that those engaged in real estate transactions verify any request for a change in how payments will be made and/or their destination.

Additionally, it would be sensible to be wary of any communication that is exclusively email-based, and a good idea to have another channel of communication to verify any directions are legitimate.

One way to defend against such attacks is to agree code phrases that will only be known to the two legitimate parties, and not something that would be easily determined by a scammer – even if they did manage to break into an email account.

Personally. if I was buying or selling a property, one of my first instructions to my real estate agent would be to advise them that under no circumstances will I be asking them to move money into a different bank account than the one about which I initially informed them.

Based upon financial data examined by the IC3 and financial institutions, Asian banks located in China and Hong Kong remain the primary destination for fraudulent funds.

However, recently bank accounts in the UK, Mexico, and Turkey have also been identified recently as prominent recipients for money transfers.

Although BEC is most commonly targeting money, it’s important to recognise that that is not the only material of interest to the fraudster.  There are also numerous incidents where companies have been targeted not with the intent of transferring funds, but instead requesting personally identifiable information or payroll and tax statement (W-2) forms for employees.

BEC is often a low-tech crime, but one with potentially huge rewards for the scammer behind it. To properly defend your business you should not only invest in technology, but also train your employees to be on the lookout for scammy emails – whether they appear to come from the boss or not.

For more advice on hardening your business against email compromise scams, check out this article. 



Graham Cluley

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats. Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.

View all posts

You might also like