Total losses caused by Business Email Compromise (BEC), a sophisticated scam targeting businesses working with foreign suppliers and businesses that regularly pay by wire transfer, have grown 13-fold since January in identified exposed losses, reaching over $3 billion, FBI says.
The scam has been reported by victims in all 50 states and in 100 countries. Reports indicate that fraudulent transfers have been sent to 79 countries, mostly to Asian banks in China and Hong Kong.
The BEC scam claimed 22,143 domestic and international victims, and a combined exposed dollar loss of $3,086,250,090, which includes actual and attempted loss.
Victims range from small businesses to large corporations and deal in a wide variety of goods and services, indicating a specific sector does not seem to be targeted, according to federal reports.
“It is largely unknown how victims are selected; however, the subjects monitor and study their selected victims using social engineering techniques prior to initiating the BEC scam”, the FBI says. “The subjects are able to accurately identify the individuals and protocols necessary to perform wire transfers within a specific business environment. Victims may also first receive “phishing” e-mails requesting additional details regarding the business or individual being targeted (name, travel dates, etc.).”
“Some individuals reported being a victim of various Scareware or Ransomware cyber intrusions immediately preceding a BEC incident. These intrusions can initially be facilitated through a phishing scam in which a victim receives an e-mail from a seemingly legitimate source that contains a malicious link. The victim clicks on the link, and it downloads malware, allowing the actor(s) unfettered access to the victim’s data, including passwords or financial account information.”
The BEC scam is linked to other forms of fraud, including romance, lottery, employment and rental scams. According to the FBI, the victims are usually US-based (from October 2013 to May 2016, 14,032 from the total of 15,668 victims were US victims) and may be recruited as unwitting money mules. The mules receive the fraudulent funds in their personal accounts and are then directed by the subject to quickly transfer the funds to another bank account, usually outside the US. Upon direction, mules may open bank accounts or shell corporations to further the fraud scheme.
The FBI has seen five frequent scenarios attackers use during a BEC scam. In the latest one, fraudulent requests are sent using a business executive’s compromised e-mail. The entity in the business organization responsible for W-2s or maintaining PII, such as the human resources department, bookkeeping, or auditing section, has frequently been identified as the targeted recipient of the fraudulent request for W-2 and/or PII. Some of these incidents are isolated and some occur before a fraudulent wire transfer request. Victims report they have fallen for this new BEC scenario, even if they were able to successfully identify and avoid the traditional BEC incident. The data theft scenario (Scenario 5) of the BEC first appeared just prior to the 2016 tax season.
Other scenarios include a business working with a foreign supplier, a business [executive] receiving or initiating a request for a wire transfer, business contacts receiving fraudulent correspondence through compromised e-mail and business executive and attorney impersonation.
Here is a short list of the FBI recommendations to avoid BEC scams:
Former business journalist, Razvan is passionate about supporting SMEs into building communities and exchanging knowledge on entrepreneurship. He enjoys having innovative approaches on hot topics and thinks that the massive amount of information that attacks us on a daily basis via TV and internet makes us less informed than we even think. The lack of relevance is the main issue in nowadays environment so he plans to emphasize real news on Bitdefender blogs.View all posts
Don’t miss out on exclusive content and exciting announcements!