The Business E-mail Compromise scam is alive and well, and expected to rise both when it comes to the number of victims and the total money loss sustained by them.
According to a public service announcement released by the Internet Crime Complaint Center (IC3), in the period between October 1, 2013, and December 1, 2014 – 14 months in all – there have been nearly 1200 US and a little over 900 non-US victims of BEC scams, and the total money loss reached nearly $215 million.
“The Business E-mail Compromise is a sophisticated scam targeting businesses working with foreign suppliers and/or businesses that regularly perform wire transfer payments,” the IC3 explained.
“The fraudulent wire transfer payments sent to foreign banks may be transferred several times but are quickly dispersed. Asian banks, located in China and Hong Kong, are the most commonly reported ending destination for these fraudulent transfers.”
The scammers are usually well informed when it comes to the individuals and protocol used by the target company to perform wire transfers, so they obviously do reconnaissance before hitting the targets – both large and small businesses.
There are three main versions of the scam:
- The attackers impersonate a supplier and ask the business – via convincing phone calls, fax or email messages – to wire the payment to an alternate account belonging to the scammers.
- The attackers impersonate a high-level executive with the firm either by compromising their email account or by spoofing it, and ask the employee responsible for wire transfers to process a request they sent.
- The attackers impersonate a firm’s employee by hacking their personal email account, and send requests for invoice payments to fraudster-controlled bank accounts to a number of vendors. “The business may not become aware of the fraudulent requests until they are contacted by their vendors to follow up on the status of their invoice payment.”
Businesses should be on the lookout for this type of scam, and should be wary of using free web-based email services for business purposes. Sharing internal data such as job duties/descriptions and out of office details on social media and company websites should be avoided. Beware of sudden changes in business practices – a business contact switching from the company email to a personal one, especially. Consider using 2-step verification for confirm significant transactions, and don’t use the same environment for both, for example one email and a phone call.