The FBI is warning that business email compromise (BEC) has resulted in actual and attempted losses of more than a billion dollars to businesses worldwide.
The financial fraud tactic—which the Feds say is “more sophisticated than any similar scam the FBI has seen before”—centers on social engineering tactics that target company accountants with emails purporting to be from their superiors and the CEO. It first appeared in the wild around 2013, but has really taken off since then. The average individual loss is about $6,000, and the average loss to BEC victims is $130,000.
The FBI gave one chilling example:
The accountant for a US company has received an email from her chief executive, who was on vacation out of the country, requesting a transfer of funds on a time-sensitive acquisition that required completion by the end of the day. The CEO said a lawyer would contact the accountant to provide further details.
“It was not unusual for me to receive e-mails requesting a transfer of funds,” the accountant later said, and when she was contacted by the lawyer via email, she noted the appropriate letter of authorization—including her CEO’s signature over the company’s seal—and followed the instructions to wire more than $737,000 to a bank in China.
The next day, when the CEO happened to call regarding another matter, the accountant mentioned that she had completed the wire transfer the day before. The CEO said he had never sent the e-mail and knew nothing about the alleged acquisition.
Since the FBI’s Internet Crime Complaint Center (IC3) began tracking BEC scams in late 2013, it has compiled statistics on more than 7,000 U.S. companies that have been victimized—with total dollar losses exceeding $740 million. Since the beginning of 2015 there has been a 270% increase in identified BEC victims. Victim companies have come from all 50 U.S. states and nearly 80 countries abroad. The majority of the fraudulent transfers end up in Chinese banks.
That doesn’t include victims outside the US and unreported losses.
“BEC is a serious threat on a global scale,” said FBI Special Agent Maxwell Marker, who oversees the Bureau’s Transnational Organized Crime–Eastern Hemisphere Section in the Criminal Investigative Division. “It’s a prime example of organized crime groups engaging in large-scale, computer-enabled fraud, and the losses are staggering.”
The scammers are believed to be members of organized crime groups from Africa, Eastern Europe and the Middle East, and they primarily target businesses that work with foreign suppliers or regularly perform wire transfer payments. The scam succeeds by compromising legitimate business email accounts through social engineering or computer intrusion techniques.
In the latter case, the criminals often employ malware to infiltrate company networks, gaining access to legitimate email threads about billing and invoices they can use to ensure the suspicions of an accountant or financial officer aren’t raised when a fraudulent wire transfer is requested.
“They know how to perpetuate the scam without raising suspicions,” Marker said. “They have excellent tradecraft, and they do their homework. They use language specific to the company they are targeting, along with dollar amounts that lend legitimacy to the fraud. The days of these e-mails having horrible grammar and being easily identified are largely behind us.”
The IC3 offers these tips:
- Verify changes in vendor payment location and confirm requests for transfer of funds.
- Be wary of free, web-based email accounts, which are more susceptible to being hacked.
- Be careful when posting financial and personnel information to social media and company websites.
- Regarding wire transfer payments, be suspicious of requests for secrecy or pressure to take action quickly.
- Consider financial security procedures that include a two-step verification process for wire transfer payments.
- Create intrusion detection system rules that flag e-mails with extensions that are similar to company e-mail but not exactly the same. For example, .co instead of .com.
- If possible, register all Internet domains that are slightly different than the actual company domain.
- Know the habits of your customers, including the reason, detail, and amount of payments. Beware of any significant changes.