In a year where ransomware is receiving massive amounts of attention, there is another threat that continues to grow – Business Email Compromise (BEC) scams. The FBI has issued two warnings about this threat in 2016. The first warning was bad enough, with the FBI estimating BEC scams have accounted for about $2.3 billion is losses from 17,642 victims. Unfortunately, the latest warning has increased these figures.
The FBI is now saying that money lost from BEC scams is over $3 billion dollars, with more than 22,000 victims falling prey to this attack.
“The BEC scam continues to grow, evolve, and target businesses of all sizes,” the FBI warning read. “Since January 2015, there has been a 1,300% increase in identified exposed losses.”
The warning went on to say that victims of BEC scams have appeared in all 50 U.S. states as well as 100 countries throughout the world. Another noteworthy piece of information is where the money lost in these scams is ending up.
“Reports indicate that fraudulent transfers have been sent to 79 countries with the majority going to Asian banks located within China and Hong Kong,” the alert read.
In most cases, a BEC scam attempts to portray an email or request as being urgent, placing pressure on the recipient to act fast without asking questions. The email is often sent from a legitimate looking source — such as a high-ranking company official or a bank that works with the company — which further eliminates questions from the recipient.
Money is the ultimate goal of a BEC scam. Many cases involve attempting to create a scenario where a money transfer takes place. The 2015 tax season demonstrated a new method for BEC scams — W-2 data theft.
Tax fraud was abundant in 2015. In many of these documented events, a BEC scam was used to compromise company W-2 information.
“Fraudulent requests are sent utilizing a business executive’s compromised email,” the FBI alert stated about BEC data theft scams.
“The entity in the business organization responsible for W-2s or maintaining PII, such as the human resources department, bookkeeping, or auditing section, have frequently been identified as the targeted recipient of the fraudulent request for W-2 and/or PII. Some of these incidents are isolated and some occur prior to a fraudulent wire transfer request. Victims report they have fallen for this new BEC scenario, even if they were able to successfully identify and avoid the traditional BEC incident.”
The alert from the FBI pointed out that BEC scams aimed at obtaining data first appeared during the 2015 tax season.
Employees are the primary targets of BEC scams. It is vital that employees understand the dangers of opening attachments from unknown sources. It is equally important that employees question unusual requests — like what you would see in a BEC scam email. Make sure employees understand that it is okay to ask questions before performing job functions, especially if that job function was requested via email. Before sensitive information is accessed, put in place checkpoints to make sure this information is only being shared with authorized and legitimate personnel.