BEC scammers stole $2.3 billion in less than three years

Once again, the FBI has issued a warning about business email compromise scams. Their numbers say there has been a 270 percent increase in identified victims and exposed loss since January 2015.

“Victims range from large corporations to tech companies to small businesses to non-profit organizations. Many times, the fraud targets businesses that work with foreign suppliers or regularly perform wire transfer payments,” they pointed out.

The losses can be massive. For example, Belgian bank Crelan lost €70 million (nearly $80 million) to BEC scammers, and Austrian airplane systems manufacturer FACC lost €50 million (around $57 million) after the fraudsters successfully targeted their financial and accounting department.

In the US, from October 2013 through February 2016, law enforcement received reports from 17,642 victims, and total loss reached a staggering $2.3 billion.

“The schemers go to great lengths to spoof company e-mail or use social engineering to assume the identity of the CEO, a company attorney, or trusted vendor. They research employees who manage money and use language specific to the company they are targeting, then they request a wire fraud transfer using dollar amounts that lend legitimacy.”

You can find out about the various versions of the BEC scam here and here. Nigerian scammers have also shown a predilection for them. Occasionally the scammers aren’t looking for money, but things like employees’ payroll information, which will help them perpetrate identity theft or file bogus tax return requests.

In order to prevent becoming a victim, businesses should set up specific security awareness training for their employees to help them spot these schemes. The FBI advises businesses to be wary of e-mail-only wire transfer requests and requests involving urgency, be on the lookout for mimicked e-mail addresses, to pick up the phone and verify legitimate business partners and, finally, to practice multi-level authentication for payments.

The huge returns this type of scam offer make it unlikely that they will cease any time soon. The scammers know whom to target: the names and email addresses of executives can often be found on the company website or on LinkedIn. They put much effort in creating customized emails because they know that people are likely to fall for these well-executed schemes if they can be made to believe they are authentic requests.

“In addition to technology solutions to restrict access, guarantee identity and trust, and protect against malware exploits, it’s critical for business employees to use common sense and stay alerted by their IT departments on the existence of business email scams,” says Paul Jespersen, VP, Enterprise Business Development and Emerging Products, Comodo.

“Employees can look out for any anomalies in the sender’s email domain, where the cybercriminal will often change one letter—making it difficult to spot the difference. And if employees are unsure of the legitimacy of a transfer request, they should contact IT and confirm verbally or outside of email with that executive or vendor for verification before proceeding. These tips apply to all forms of phishing, spearphishing and cybercrime, and all employees should be reminded of them regularly.”

In regards to BEC scams that ask employees to send out sensitive information via email, Jonathan Sander, VP of Product Strategy at Lieberman Software, says that there are two basic questions that arise.

“There is a question of how much power employees have to cause damage, and there is also a question of how executives expect to be able to give directions. In several of the cases where these fake CEO emails prompted employees to do the wrong thing the first thing that occurred to me was that the employee should never have been able to simply email out so much data. The employee likely shouldn’t have been able to access that much data without some sort of oversight kicking in. The fact that a single employee, for any reason, could grab so much data and simply send it to anyone, regardless of who they think that person is, is a scary prospect when you stop to think about it,” he hoted.

“Of course, you can also ask why an employee would be fooled into thinking that an executive would be making such a sweeping request. That raises the question of how executives expect to be able to give directions. Executives need to lead by example, and if their example has made employees feel that the CEO may in fact ask for such a huge dump of data without qualification or process then that is an issue. Executives need to understand that with their great power comes great responsibility. If the bad guy’s email just looks like another crazy request from above, then it’s harder to hold the employee sending out the data accountable for replying with an equal level of crazy – and causing the crazy damages.”