Last week, the FBI reported just how much companies have lost from the increasingly prevalent scam known as business email compromise (BEC), and the numbers are huge. The costly scam, which typically consists of criminals impersonating high-ranking executives or vendors and tricking companies into sending large wire transfers, has become the top fraud threat for treasury and finance professionals.
Criminals reportedly stole nearly $750 million from more than 7,000 U.S. businesses between October 2013 and August 2015. Combined with international victims, the FBI estimates that more than $1.2 billion has been lost due to BEC scams.
“There has been a 270 percent increase in identified victims and exposed loss since January 2015,” the FBI alert explains. “The scam has been reported in all 50 states and in 79 countries. Fraudulent transfers have been reported going to 72 countries; however, the majority of the transfers are going to Asian banks located within China and Hong Kong.”
AFP and multiple other outlets have widely reported on this threat, yet companies continue to fall for it. The question is, why?
According to security blogger Brian Krebs, BEC scams, though unsophisticated on the surface, are often more effective than account takeovers. “In traditional phishing scams, the attackers interact with the victim’s bank directly, but in the BEC scam the crooks trick the victim into doing that for them,” he wrote.
One reason why these types of attacks are perhaps more of a threat than traditional cyberattacks is the approach that the criminals are taking, noted Brad Deflin, president and co-founder of Total Digital Security and a speaker at the recent CTC Corporate Treasurers Forum in Chicago. “The perpetrators of these attacks are highly skilled social engineers, versus cyber-technicians that are hacking the technology, and the ingenuity and methodology of these attacks are evolving faster than our idle imagination can grasp,” he said. “We should expect successful attack templates will be replicated and deployed all the way down the food chain in both public and private sectors to ultimately include victims at the individual and household level and each successful template will not exhaust itself until the risk/reward equation is fully diluted.”
Furthermore, BEC scams may be a bigger threat to businesses than account takeovers due to the insurance factor. Following Ubiquiti Networks’ revelation that it had been defrauded out of $47 million, the networking technology firm noted that may not be able to obtain insurance coverage for the loss. That’s because BEC scams typically fall outside of cyber insurance coverage; you sent the money—therefore, you’re on the hook.
The FBI has observed an increase in malware being used in connection with BEC scams. Victims are typically sent a phishing email from a seemingly legitimate source and are duped into clicking on a malicious link. From there, a criminal can access the victim’s data, which includes passwords and financial account information. When executives are compromised, crooks will scour the victim’s email correspondence for certain words that reveal whether the company routinely sends wire transfers, searching for words like “invoice,” “deposit” and “president,” noted Krebs.
Additionally, the FBI has been made aware of a new version of BEC scam. Fraudsters are now contacting businesses via phone or email and posing as lawyers who claim to be handling confidential or time-sensitive information. They pressure the victim to act quickly and even secretly in transferring funds. These scammers typically make their move at the end of the business day or work week to coincide with the close of business of international financial institutions.
The FBI provided some best practices that businesses can apply to recognize these scams before they any money is transferred.
- Implement a detection system that flags e-mails with extensions that are similar to the company e-mail. For example, if your legitimate company is e-mail is @company.com, the e-mail @c0mpany.com would be flagged. Don’t just rely on spam filters to catch these emails. Krebs noted that spoofed emails used in BEC scams are unlikely to set off spam traps because the targets are not mass emailed. Furthermore, the criminals sending them take the time to research the target organization’s relationships, activities, interests, and travel and purchasing plans.
- Register all company domains that are similar to the actual company domain.
- Verify changes in vendor payment locations by adding additional two-factor authentication, such as having a secondary sign-off by company personnel.
- Confirm requests for funds transfers. When using phone verification, use previously known numbers and not the numbers provided in an e-mail request.
- Know the habits of your customers when it comes to payment habits and amounts. Flag anything out of the ordinary.
- Carefully scrutinize all e-mail requests for funds transfers to determine if the requests are legitimate.
Treasurers would also be wise to speak to their banking partners and see if they will hold their requests for international wire transfers for an additional period of time, to verify that the requests are legitimate. The FBI noted that some banks are already doing this on their own.
The FBI also provided actions that companies can take should they realize they have been victimized:
- Immediately contact your bank and request that they contact the corresponding financial institution where the transfer was sent.
- Contact your FBI office if the transfer is recent. The FBI, working with the Financial Crimes Enforcement Network (FinCEN), might be able to help return or freeze the funds.
- File a detailed complaint with www.IC3.gov. Be sure to identify the incident as a “BEC” scam.