Losses from BEC Scams Mounting
The amount of money lost to business email compromise scams continues to grow each year, with a 65% increase in identified global exposed losses between July 2019 and December 2021.
That’s according to an FBI public service announcement. Business email compromise/email account compromise (BEC/EAC) is a sophisticated scam that targets both businesses and individuals who perform legitimate transfer-of-funds requests.
The increase in losses can be partly attributed to the restrictions placed on normal business practices during the COVID-19 pandemic, which caused more workplaces and individuals to conduct routine business virtually, the FBI said.
“The BEC scam has been reported in all 50 states and 177 countries, with over 140 countries receiving fraudulent transfers,” it said. “Based on the financial data reported to the Internet Crime Complaint Center for 2021, banks located in Thailand and Hong Kong were the primary international destinations of fraudulent funds. China, which ranked in the top two destinations in previous years, ranked third in 2021, followed by Mexico and Singapore.”
Joseph Carson is chief security scientist and advisory CISO at Delinea. He said it should come as no surprise that BEC is on the rise.
“At a time when employees continue to work remotely, it is more difficult than ever to verify with a colleague whether the request is legitimate,” he said. “When it appears to be urgent, most people will fall for such scams. The major challenge with BEC security incidents is that you have to provide evidence that your account was indeed compromised and the incident was not just human error. With cybercriminals being really good at hiding their tracks, such evidence can sometimes be very difficult to gather.”
Most organizations that become victims of BEC are not resourced internally to deal with incident response or digital forensics so they typically require external support, Carson said.
“Victims sometimes prefer not to report incidents if the amount is quite small, but those who fall for larger financial fraud BEC that amounts to thousands or even sometimes millions of U.S. dollars must report the incident in the hope that they could recoup some of the losses,” he said. “Moving forward, I highly recommend that organizations seek expertise in the private sector for incident response and digital forensics and, at the same time, report the BEC crime to law enforcement. This will help accelerate the investigation with expert resources while the crime navigates the law enforcement chain of response.”
Andy Gill is senior security consultant at Lares Consulting.
“We’re not shocked at the figure stated in the FBI PSA,” he said. “In fact, this number is likely low given that a large number of incidents of this nature go unreported and are swept under the rug. BEC attacks continue to be one of the most active attack methods utilized by criminals because they work. If they didn’t work as well as they do, the criminals would switch tactics to something with a larger return on investment.”
BEC attacks are often conducted by a threat actor phishing their initial target to gain access to email inboxes, Gill said. From there, they’ll typically search inboxes for high-value threads, such as discussions with suppliers or discussions with others within the company, to initiate further attacks either against employees or external parties.