FBI Issues Warning About BEC Attacks as Losses Increase to $55.5 Billion
The Federal Bureau of Investigation (FBI) has issued a warning to businesses about business email compromise (BEC) scams, which have resulted in losses of almost $55.5 billion over the past decade. BEC is a sophisticated scam that targets businesses and individuals. While the aim of the scam may be to obtain sensitive information, these attacks are commonly conducted on individuals who perform legitimate transfer-of-funds requests and trick them into making fraudulent wire transfers.
These attacks commonly start with phishing attempts with social engineering techniques used to compromise email accounts. Accounts may also be accessed using stolen credentials or through computer intrusions. Once access is gained to a suitable email account, emails are searched to find information that can be used in the scam. The scammer may monitor the account for communications, hijack message threads and take over conversations, and copy the writing style of the account holder to make their requests more realistic.
The account owner is impersonated, and emails are sent to individuals responsible for funds transfers to trick them into sending money to attacker-controlled accounts. The CEO and other members of the C-Suite are often impersonated and requests are sent to the finance team to make fraudulent wire transfers. Those accounts may be domestic, although they are often accounts at international banks located in the United Kingdom, Hong Kong, China, Mexico, and the UAE. Once the transfers have been made, they are rapidly transferred to accounts at other financial institutions. If the scam is not rapidly identified, it can be impossible to recover the transferred funds.
According to the FBI’s Internet Crime Complaint Center (IC3), between October 2013 and December 2023, more than 305,000 domestic and international BEC incidents have been reported that involved $55,499,915,582 in losses. In the United States alone there have been 158,436 victims of BEC attacks and more than $20 billion in losses. The losses are undoubtedly higher, as not all BEC attacks are reported to IC3.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Cybercriminals attempt BEC attacks on businesses of all sizes, from small businesses to the largest corporations, and attacks are on the increase. Between December 2022 and December 2023, IC3 recorded a 9% increase in global losses to these scams. In 2023, IC3 saw growth in BEC reporting where funds were sent directly to a financial institution holding custodial accounts held by third-party payment processors and cryptocurrency exchanges which was a major factor in the increase in losses.
The FBI provided several tips for improving defenses against BEC attempts. All accounts should be protected with unique, complex passwords or passphrases which should be changed periodically, and multifactor authentication should be implemented on accounts. Spam filtering and anti-phishing solutions can help to block initial account compromises, and security awareness training should be provided to raise awareness of the scams and to teach cybersecurity best practices.
Those practices include ensuring any URL in an email is associated with the business or individual it claims to be from, carefully checking hyperlinks for misspellings of the actual domain name, verifying the email address used to send emails, and avoiding sending personally identifiable information of any kind via email. Employee email accounts should be configured to allow full email extensions to be viewed.
To identify fraudulent transfers, secondary channels and two-factor authentication should be used to verify requests to change account information and financial accounts should be regularly reviewed for irregularities, such as fraudulent transfers and missing deposits. If fraudulent transfers are identified, the relevant financial institution should be contacted immediately to try to freeze the funds, and the crime should be reported to IC3, which may be able to help recover the funds.
