According to a recent alert from the FBI, businesses lost nearly $215 million to one particular type of email scam in 2014. The business email compromise (BEC) swindle is a complicated scam that starts when business executives or employees email accounts are hacked.
The FBI says that the business email compromise scam is a sophisticated and increasingly common type of fraud targeting businesses that work with foreign suppliers and/or businesses that regularly perform wire transfers.
According to the Internet Crime Complaint Center (IC3) – a partnership between the FBI and the National White Collar Crime Center – the BEC is a global scam with subjects and victims in many countries. The IC3 has received victim and complaint data from people in every U.S. state and 45 countries. From 10/1/13 to 12/1/14, the following statistics are reported:
- Total U.S. Victims – 1,198
- Total U.S. Dollar Loss – $179,755,367.80
- Total Non-U.S. Victims – 928
- Total Non-U.S. Dollars – $35,217,136.22
- Combined Victims – 2,126
- Combined Dollar Loss – $214,972,503.30
CEO fraud is one variation on the BEC scam. CEO fraud starts with the email account compromise for high level executives (CEO, CFO, CTO, etc.) Posing as the executive, the cyber-criminal sends a request for the wire transfer from the compromised email account to a second employee within the company who is normally responsible for processing these requests.
According to the IC3, the wire transfer requests are well-worded, specific to the business being victimized, and do not raise suspicions to the legitimacy of the request. In some instances a request for a wire transfer from the compromised account is sent directly to the financial institution with instructions to urgently send funds to bank ‘X’ for reason ‘Y.
The people perpetuating these scams do their homework before targeting a business and its employees, monitoring and studying potential victims prior to initiating the scam. Fraudulent emails have coincided with real business travel dates for individuals whose email accounts were spoofed. These criminals have been able to accurately identify the individuals responsible for wire transfers and also the specific protocol necessary to perform wire transfers within a particular business environment.
The IC3 recommends that businesses protect themselves by adopting two-step or two-factor authentication for email when possible or to establish other communication channels – such as telephone calls – to verify significant transactions.
For more information about how to analyze the security of your inbox, take a look at this poignant infographic by Krebs on Security: