Business Email Compromise Scams Have Cost Victims $3B, Reports FBI

Companies have handed over more than three billion dollars to fraudsters as a result of business email compromise (BEC) scams, reports the FBI. In a public service announcement published on Tuesday, the FBI warns companies of a growth of BEC scams, sophisticated ploys where fraudsters attempt to use social engineering techniques such as phishing or even ransomware attacks to compromise legitimate business email accounts and abuse that access to conduct fraudulent wire transfers:

"The BEC scam continues to grow, evolve, and target businesses of all sizes. Since January 2015, there has been a 1,300% increase in identified exposed losses. The scam has been reported by victims in all 50 states and in 100 countries. Reports indicate that fraudulent transfers have been sent to 79 countries with the majority going to Asian banks located within China and Hong Kong."

Complaints filed with the FBI and other international law enforcement agencies suggest that business email compromise scams have victimized over 22,000 companies and caused approximately $3.1 billion in losses. In the United States alone, 14,032 companies have paid more than $960 million to BEC scammers since October 2013. Using the complaints it has received over the past few years, the FBI identifies in its alert five main scenarios by which fraudsters perpetrate the scam. The newest scenario to emerge is data theft:

"Fraudulent requests are sent utilizing a business executive’s compromised e-mail. The entity in the business organization responsible for W-2s or maintaining PII, such as the human resources department, bookkeeping, or auditing section, have frequently been identified as the targeted recipient of the fraudulent request for W-2 and/or PII. Some of these incidents are isolated and some occur prior to a fraudulent wire transfer request. Victims report they have fallen for this new BEC scenario, even if they were able to successfully identify and avoid the traditional BEC incident. The data theft scenario (Scenario 5) of the BEC first appeared just prior to the 2016 tax season."

Other common scenarios include working with a foreign supplier and receiving or initiating a request to conduct a wire transfer. The FBI recommends that companies protect themselves against business email compromise scams by deleting spam, avoiding free web-based email accounts, and limiting the types of information posted on social media. Any company that believes it might have been targeted by a BEC scam should contact their local FBI office as well as their trusted financial institution, the alert concludes.