Share this article on:
The Federal Bureau of Investigation (FBI) has issued a public service announcement warning about the threat of Business Email Compromise/Email Account Compromise (BEC/EAC) scams. The number of attacks reported to the FBI Internet Crime Complaint Center (IC3) and the amount of money lost to these scams continues to grow each year, with losses to BEC/EAC scams increasing 65% between July 2019 and December 2021.
BEC/EAC scams are the leading cause of losses to cybercrime. Between June 2016 and December 2021, IC3 received 241,206 complaints about domestic and international BEC/EAC attacks with reported losses of more than $43.3 billion. The IC3 2021 Internet Crime Report shows victims reported losses of $2.4 billion in 2021 across 19,954 complaints – around one-third of all losses to cybercrime in 2021. The actual losses to these scams are undoubtedly far higher, as many victims do not report the scams to the FBI, especially if the losses are relatively small.
BEC/EAC scams involve compromising email accounts and using them to send emails to businesses and individuals who perform legitimate transfers of funds requesting fraudulent transfers or changes to bank account information for upcoming payments. Statistical data shows the destination accounts for these transfers are most commonly overseas. The FBI says fraudulent transfers were made to banks in 140 countries, with Thailand topping the list followed by Hong Kong, China, Mexico, and Singapore.
The number of complaints about BEC/EAC scams involving cryptocurrencies has been growing. BEC/EAC scams involving cryptocurrencies started to be received by IC3 in 2018 when losses of less than $5 million. In 2021, cryptocurrency losses from BEC/EAC scams of $40 million were reported.
While it is common for scammers to target large enterprises that routinely perform transfers of millions of dollars, businesses of all sizes have been targeted including small local firms as well as individuals. The FBI says scams have been reported domestically in all 50 states, and reports have been received from victims in 177 countries.
BEC/EAC scams are conducted frequently because they have a high success rate and the ROI is so high. Fraudulent transfers are often for hundreds of thousands or millions of dollars, and the high success rate is due to the abuse of trust. The emails requesting transfers come from the email accounts of trusted individuals, such as company executives, vendors, and business partners, and the requests for transfers or bank account changes are often not questioned. The scams can also target sensitive data, such as the personally identifiable information of employees in W-2 forms.
Businesses and individuals should take steps to protect against BEC/EAC scams. These scams often start with phishing emails to obtain credentials to email accounts, so implementing a spam filtering solution to block the initial phishing emails will help to prevent email accounts from being compromised. 2-factor authentication should also be implemented to prevent stolen credentials from being used to access email accounts. Password policies should be implemented and enforced to prevent weak passwords from being set, which are vulnerable to brute force attacks.
Businesses should conduct security awareness training to teach employees how to recognize phishing emails and BEC/EAC scams and condition them to be wary of any email that requests login credentials or PII of any kind. The emails may appear to have been sent by trusted individuals and the reason for providing information often appears legitimate.
It is important to verify the email address used to send emails to ensure that the sender’s name and email address match, and to carefully check any URLs in emails to make sure they are associated with the business or individual they claim to be from. Employees should be alert to hyperlinks that may contain misspellings of the actual domain name. Employees’ computers and corporate-issued mobile devices should be configured to allow full email extensions to be viewed.
Since these scams often involve compromised internal email accounts and those of vendors, it is important to use secondary channels or two-factor authentication to verify requests for changes to account information and wire transfers, and businesses and individuals should monitor their financial accounts closely for irregularities such as missing deposits.
Victims of BEC/EAC scams should immediately report the incidents to their financial institution and request a recall of funds, and should also file a complaint with IC3. IC3’s Recovery Assist Team initiated the Financial Fraud Kill Chain (FFKC) in 2021 on 1,726 BEC complaints involving domestic to domestic transactions with potential losses of $443,448,237 and achieved a 74% success rate, freezing funds totaling $329 million.