Losses From Business Email Compromise Scams Top $3.1 Billion: FBI

Just two months ago, the Federal Bureau of Investigation (FBI) said that cybercriminals had managed to scam $2.3 billion from 17,642 victims in at least 79 countries through business email compromise (BEC) from October 2013 through February 2016. The FBI has since updated those figures to over 22,000 victims and nearly $3.1 billion in losses, as of May 2016.

According to a new Public Service Announcement (PSA) from the FBI’s Internet Crime Complaint Center (IC3), BEC scams continue to evolve fast, while targeting businesses of all size. The incurred losses have grown exponentially too: since January 2015, the identified exposed losses went up by 1,300%, IC3 says.

As usual, the attackers targeted businesses working with foreign suppliers and/or those that perform wire transfer payments on a regular basis. By employing various social engineering techniques, compromising legitimate email accounts, or by hacking into an enterprise’s network, attackers manage to fraudulently transfer funds to their accounts.

Fraudsters would profile their victims before launching the attack, to become familiar with their normal business practices and be able to use the payment method commonly associated with the victim. Most of the impacted companies would normally use wire transfers to move funds for business purposes, but there are also those employing checks as a common method of payment.

Last week, Trend Micro revealed that the CEO is the most popular “sender” in BEC scams (31%), followed by the President (17%). Furthermore, the security firm revealed that the CFO was the most popular recipient, at over 40%, while the director of finance came in second, at just under 10%.

According to IC3’s announcement, victims in all 50 states and in 100 countries have reported BEC scams. However, it appears that the scammers have requested transfers be sent to only 79 countries and that most of the funds were sent to Asian banks located within China and Hong Kong.

A total of 22,143 victims in the United States and other countries worldwide have reported BEC scams to date, to a total combined exposed dollar loss of $3,086,250,090, IC3 says. Between October 2013 and May 2016, IC3 received 15,668 complaints from domestic and international victims, for a combined exposed dollar loss of $1,053,849,635. Of these, 14,032 were US victims, who reported a total exposed dollar loss of $960,708,616.

Businesses of all sizes are targeted by scammers, but it is yet unknown how the cybercriminals are selecting their victims. What is clear, however, is that attackers are studying and monitoring their victims before launching an attack. “The subjects are able to accurately identify the individuals and protocols necessary to perform wire transfers within a specific business environment. Victims may also first receive ‘phishing’ e-mails requesting additional details regarding the business or individual being targeted (name, travel dates, etc.),” IC3 says.

Some of the victims also said that they experienced a scareware or ransomware incident before the BEC attack, intrusions supposedly facilitated through phishing scams, where the victim receives an e-mail from a seemingly legitimate source that contains a malicious document or link. Once the victim clicks on the provided link, malware is downloaded and the attacker gains access to the victim’s computer.

IC3 also explains that fraudsters request wire transfers that are in line with the normal business transaction amounts so as to not raise doubt, and that fraudulent e-mails coincide with business travel dates for executives whose e-mails were spoofed. Moreover, victims say that they were able to frequently track IP addresses back to free domain registrars.

BEC complaints usually show that open source e-mail accounts and individuals responsible for handling wire transfers are normally targeted by these scams, with spoofed e-mails closely mimicking a legitimate e-mail request. Hacked e-mails are often used as well, fraudsters create well-worded emails when requesting a wire transfer, tailor them specifically to the targeted business, and often use phrases such as “code to admin expenses” or “urgent wire transfer” in them.

“Businesses with an increased awareness and understanding of the BEC scam are more likely to recognize when they have been targeted by BEC fraudsters, and are therefore more likely to avoid falling victim and sending fraudulent payments. Businesses that deploy robust internal prevention techniques at all levels (especially targeting front line employees who may be the recipients of initial phishing attempts), have proven highly successful in recognizing and deflecting BEC attempts,” IC3 says.