FBI: Whaling and BEC Scams Rack Up $5bn in Ill-Gotten Gains

Written by

The FBI has issued an alert warning about a dramatic increase in business email compromise (BEC) and email account compromise (EAC) scams, with a whopping 2,370% increase in identified losses from January 2015 to December 2016.

The FBI estimates these scams have cost organizations more than $5 billion in losses over the past three years, spanning across at least 131 countries.

Whaling is the best-known version of this, where the email accounts of C-suite business executives are spoofed or hacked. A request for a wire transfer from the compromised account is made to a second employee within the company who is typically responsible for processing these requests. In some instances, a request for a wire transfer from the compromised account is sent directly to the financial institution with instructions to urgently send funds to bank “X” for reason “Y.” Other versions involve W2 or personally identifiable information (PII) exfiltration from HR, attorney impersonation, or bogus “foreign supplier” invoices, among other scenarios. In all of these cases, victims receive seemingly legitimate emails from known sources, and the crooks have accurately identified the individuals and protocols necessary to perform wire or information transfers within a specific business environment.

In light of the sophistication of the recent Google Docs phishing scam, it’s becoming easier to get employees to fall for scams and put their email accounts and organizations at risk; and it’s clear that training is just not enough to prevent a breach.

"Employee and contractor negligence is one of the top causes of data breaches so it’s no surprise that BEC phishing scams have cost organizations billions of dollars,” said Dtex Systems CEO Christy Wyatt, via email. “In fact, without proper precautions, it’s very likely that this number will continue to increase as these emails become more sophisticated and personalized.”

She added, “The top priority for any organization must be for companies to protect vulnerable insiders, specifically those most likely to fall for phishing scams, and address the risky behaviors at the source so that incidents can be mitigated before they develop into costly breaches.”

What’s hot on Infosecurity Magazine?