The Federal Bureau of Investigation released an alert that said there has been a 65% increase in identified global exposed losses from Business Email Compromise fraud, also known as Email Account Compromise. This huge increase can partly be attributed to the COVID-19 pandemic, as restrictions caused more workspaces and individuals to conduct routine business virtually.
Statistics collected by the FBI’s IC3 (Internet Crime Complaint Center), law enforcement and derived from filings with financial institutions between June 2016 and December 2021 revealed a total of 241,206 domestic and international incidents, for an exposed loss of $43,312,749,946.
SEE: Mobile device security policy (TechRepublic Premium)
Between October 2013 and December 2021, there were 116,401 U.S. victim complaints to the IC3, and 5,260 non-U.S. victims. The exposed loss for the U.S. victims is close to 15 billion, while the exposed loss for non-U.S. victims is a bit more than $1.2 billion.
What is BEC?
Business Email Compromise is a sophisticated scam that targets companies and individuals who perform legitimate transfer-of-funds requests.
Social engineering or usage of malware makes it possible for cybercriminals to impersonate one of the people involved in those money transfers to make the victim send the money to a cybercriminal-owned banking account.
Once the fraud is detected, it is often too late to grab the money back, as the fraudsters make it move quickly to other accounts and cash it out or buy cryptocurrencies with it.
The scam is not yet always associated with a money transfer, as one variation of the fraud involves compromising legitimate business email accounts and requesting employees personally identifiable information, Wage and Tax Statement (W-2) forms or even cryptocurrency wallets, according to the agency.
Cryptocurrency is increasingly involved in BEC campaigns
Cybercriminals running BEC campaigns do increasingly make use of cryptocurrencies because cryptocurrency transactions provide more anonymity than usual wire transfers.
IC3’s feedback after tracking some iterations of this scam reveals two different modus operandi.
The direct transfer method mirrors the traditional pattern of BEC incidents from the past. A cybercriminal sends altered wire information to the victim, and social engineers him or her to send a payment to a cryptocurrency custodial account controlled by the bad actor.
The second method is called the second-hop transfer. In this attack, the fraudsters make use of other cybercrime victims. The bad actor sends altered wire instructions to a victim, so that he or she sends payment to a second victim whose PII is owned by the attacker. The funds are then moved to a cryptocurrency account controlled by the cybercriminal, who can then cash it out the way they want. This additional layer of victims, which are proxies for the funds, are often victims of extortion, romance scams or tech support fraud and have provided all the necessary PII to the threat actor.
How to protect yourself from BEC scams
- Use secondary channels or multi-factor authentication to verify requests for changes in account information. Make100% sure that the change request comes from a legitimate person. If there’s any doubt, don’t make the transfer.
- Ensure that the email is legitimate. Carefully check the links included in the email and check for all email properties. You can request your IT security staff or CSIRTs to analyze the email and confirm if it is legitimate. If there are attached files, use malware analysis sandboxes and products to be sure the file is not malicious. Once again, ask for a manual inspection by IT security staff.
- Do not send PII information via email, especially login credentials. Be aware that most requests for such information by email are fraud attempts, even if it seems to come from a legitimate trusted entity.
- Monitor all financial accounts of the company on a regular basis for irregularities, especially missing deposits.
- Have all your software and operating systems up to date. In some cases, BEC cybercriminals might attempt to infect computers with malware, generally stealers.
Disclosure: I work for Trend Micro, but the views expressed in this article are mine.