The Financial Crimes Enforcement Network (FinCEN), part of the US Department of the Treasury, has released an alert to financial institutions that fraudsters are attempting to steal much more money through Business Email Compromise than previously believed.
Just a year ago, the FBI warned that such BEC scams - which dupe firms into transferring funds into a bank account under a criminal's control - had tried to steal $12.5 billion between October 2013 and May 2018.
At the time that seemed like a jaw-dropping figure, but reading FinCEN's latest advisory it appears that things are much worse than the FBI had reported.
FinCEN says that in less than two years they have documented 32,000 cases of attempted theft via Business Email Compromise, totalling a staggering $9 billion since September 2016.
That amounts to almost $8.7 million every single day.
FinCEN says that the number of instances of Business Email Compromise reported to it has risen from under 500 reports per month in 2016 to over 1100 monthly reports in 2018.
The top three sectors targeted in the attacks are manufacturing and construction (25$%), commercial services (18%), and real estate (16%).
According to FinCEN it is commercial services (such as shopping centres, entertainment facilities, and lodging) that have seen the biggest increase in reports, rising from 6% of reported incidents in 2017 to 18% in 2018.
The report goes on to warn that scammers use a variety of techniques to trick companies, government entities, and non-profit organisations such as churches into moving money into accounts under the control of cybercriminals.
For instance, company executives are frequently impersonated in fraudulent emails (perhaps using hacked accounts or spoofed domains), attempting to trick more junior staff into transferring funds or providing access to personal sensitive data such as payroll or wage and tax information.
In other attacks, the scammer may pose as a vendor and exploit information about, say, a well-publicised construction or renovation project as a springboard for sending in a fraudulent invoice which requests payment to a bank account under the control of a scammer or a money mule working on their behalf.
It's clear from FinCEN's statistics that the use of fraudulent invoices is on the rise:
"BEC scam methods have evolved over time. For example, impersonating a CEO or other high-ranking business officer accounted for 33 percent of sampled incidents in 2017, declining to 12 percent in 2018, while impersonation of an outside entity was 20 percent of 2018 reports, from an unmeasured amount in 2017. Using fraudulent vendor or client invoices grew, from 30 percent of sampled 2017 incidents, to 39 percent in 2018."
Law enforcement, financial organisations, and targeted businesses need to work closely together to share information about Business Email Compromise attacks and, where possible, detect and disrupt threats as rapidly as possible.
Technology can certainly play its part, but it's also essential to educate users about the nature of this evolving and growing threat so they know what to look out for, and to avoid making a mistake that could cost a company millions of dollars.
Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats. Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.View all posts
Don’t miss out on exclusive content and exciting announcements!