FBI's Internet Crime Complaint Center (IC3) says that Business Email Compromise (BEC) scams are continuing to grow every year, with a 100% increase in the identified global exposed losses between May 2018 and July 2019.
Also, between June 2016 and July 2019, IC3 received victim complaints regarding 166,349 domestic and international incidents, with a total exposed dollar loss of over $26 billion.
| Statistics reported in victim complaints to the IC3 between June 2016 and July 2019: | |
| Domestic and international incidents: | 166349 |
| Domestic and international exposed dollar loss: | $26,201,775,589.00 |
BEC aka EAC (short for Email Account Compromise) fraud schemes are scams carried out by crooks who will wire out funds without authorization to bank accounts they control via computer intrusion or after tricking key employees into doing it using social engineering.
This type of attack targets small, medium, and large businesses alike, as well as individuals, and it has a high success rate due to the fraudsters' choice to pose as someone that the employees trust like a CEO or a business partner.
"One variation involves compromising legitimate business email accounts and requesting employees’ Personally Identifiable Information or Wage and Tax Statement (W-2) forms," adds IC3.
The scam behind losses worth billions
Even though the number of BEC scams has also grown, the heightened awareness regarding this type of fraud scheme has also contributed to more reports coming from victims from all over the world which also added to the increased exposed losses reported for the last twelve months.
BEC scams have been reported throughout all U.S. States and in 177 countries around the world according to IC3, with scam-related transfers having been sent to banks from roughly 140 countries.
While accounts from banks from China and Hong Kong were the recipients of the largest share of fraudulent transfers, the FBI has also observed "an increase of fraudulent transfers sent to the United Kingdom, Mexico, and Turkey."
IC3 derived a number of BEC statistics based on data received from several sources including "IC3 and international law enforcement complaint data and filings from financial institutions between October 2013 and July 2019."
Based on the number of victim complaints received during October 2013 and July 2019, IC3 saw a total exposed dollar loss of over $10 billion for U.S. victims, and of just over $1 billion for non-U.S. victims.
| BEC/EAC statistics reported in victim complaints to the IC3 between October 2013 and July 2019: | |
| Total U.S. victims: | 69384 |
| Total U.S. exposed dollar loss: | $10,135,319,091.00 |
| Total non-U.S. victims: | 3624 |
| Total non-U.S. exposed dollar loss: | $1,053,331,166.00 |
When it comes to the number of financial recipients of fraudulent transactions stemming from BEC scams, IC3 reports that just over 32,000 recipients from U.S. collected an exposed dollar loss of more than $3 billion, while non-U.S. recipients almost hit $5 billion.
| Statistics reported in victim complaints to the IC3 between June 2016 and July 2019: | |
| Total U.S. financial recipients: | 32367 |
| Total U.S. financial recipient exposed dollar loss: | $3,543,308,220.00 |
| Total non-U.S. financial recipients: | 14719 |
| Total non-U.S. financial recipient exposed dollar loss: | $4,843,767,489.00 |
Payroll diversion schemes with intrusion events are BEC scams
Besides the run-of-the-mill BEC scam where fraudsters redirect wire transfers to their own accounts instead of a business partner, IC3 has also recently started to associate payroll diversion schemes that include an intrusion event with this type of fraud.
This type of scam requires the crooks to first phish for employees' credentials and then use them to change the victims' direct deposit accounts to attacker-controlled ones.
"Payroll diversion schemes that include an intrusion event have been reported to the IC3 for several years," says IC3. "Only recently, however, have these schemes been directly connected to BEC actors through IC3 complaints."
The total reported loss for this scam from January 1, 2018, to June 30, 2019, was of $8,323,354 after analyzing a total of 1,053 complaints received by IC3.
Defensive measures against BEC scams
IC3 provides the following guidelines for employees containing both reactive measures and preventative strategies:
- Use secondary channels or two-factor authentication to verify requests for changes in account information.
- Ensure the URL in emails is associated with the business it claims to be from.
- Be alert to hyperlinks that may contain misspellings of the actual domain name.
- Refrain from supplying login credentials or PII in response to any emails.
- Monitor their personal financial accounts on a regular basis for irregularities, such as missing deposits.
- Keep all software patches on and all systems updated.
- Verify the email address used to send emails, especially when using a mobile or handheld device by ensuring the senders address email address appears to match who it is coming from.
- Ensure the settings the employees’ computer are enabled to allow full email extensions to be viewed.
In addition, to make sure that their employees will not fall victims to BEC attacks, companies have to implement strict vendor processes to check and authenticate payment info changes via multiple types of methods.
This includes both face-to-face meetings and/or direct phone calls when any changes to payment information are being detected.
If you discover that you are the victim of a BEC scam, you have to immediately get in touch with your financial institution "to request a recall of funds and your employer to report irregularities with payroll deposits."
The FBI also suggests to "file a complaint regardless of the amount with www.ic3.gov or, for BEC/EAC victims, BEC.IC3.gov."
Comments
zingo156 - 2 years ago
No matter how good your anti-phishing techniques are, anti-spam, mail flow rules, etc, criminals always find a way and the weakest link is the end user. No matter how good your training is for the end users, someone will forget. The only two methods I have had any luck with are MFA/2FA and Device Identity Access Managment. Though it can be annoying to implement these and an annoyance for the end user, these have worked. Businesses will need to learn that any time email, bank systems, etc can be accessed externally (online outside of a VPN with Device IAM), a user name and password alone are not enough. MFA/2FA isn't perfect either, there have been weaknesses exploited, these were problems with the companies MFA/2FA and settings to allow one touch approvals. Make sure you do not allow one touch/tap sign in on an app phone with MFA, this can cause force of habit taps. I did run into this with the Microsoft authentication application. The end user had become so accustomed to tapping allow connection that when it showed up over the weekend, the user tapped allow even though they were not signing in. I had warned against this option up front. This was the only MFA breach I have seen. Forcing the user to manually enter the pin each time on sign in is a burden but there are ways around this with Device IAM or IP based bypass.
woody188 - 2 years ago
Good advice, and I'd only add application white-listing to address unknown PE32's. It is not easy to get it implemented, but it can save your bacon. It's right in line with CIS CSC2, "inventory of authorized and unauthorized software."
zingo156 - 2 years ago
That is a good recommendation. I am a huge fan of white-list only everything. Generally I recommend end users do not/cannot install software at all and that anything that can be installed is properly vetted by IT. At the business level leaving anything open that shouldn't be is just asking for trouble. I always assume the end user is going to do the wrong thing and assume the worst due to this. With that in mind it makes it very clear what steps should be required for a process to work for that end user. Program the process so the end user cannot cause a problem even if they wanted to.