Business Email Compromise: The $3.1 Billion Scam

Monday, October 31 at 07:25 AM
Category: Business Banking

This is an excerpt from the Federal Bureau of Investigation’s Public Service Announcement on business email compromise. View* the full PSA.

What is business email compromise?
Business email compromise (BEC) is defined as a sophisticated scam targeting businesses working with foreign suppliers and/or businesses that regularly perform wire transfer payments. The scam is carried out by compromising legitimate business email accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds. 
Most victims report using wire transfers as a common method of transferring funds for business purposes; however, some victims report using checks as a common method of payment. The fraudsters will use the method most commonly associated with their victim’s normal business practices.

Who are the victims?
The BEC scam continues to grow, evolve, and target businesses of all sizes. Since January 2015, there has been a 1,300 percent increase in identified exposed losses (1). The scam has been reported by victims in all 50 states and in 100 countries. Reports indicate that fraudulent transfers have been sent to 79 countries with the majority going to Asian banks located within China and Hong Kong.
The victims of the BEC scam range from small businesses to large corporations. The victims continue to deal in a wide variety of goods and services, indicating a specific sector does not seem to be targeted.
It is largely unknown how victims are selected; however, the subjects monitor and study their selected victims using social engineering techniques prior to initiating the BEC scam. The subjects are able to accurately identify the individuals and protocols necessary to perform wire transfers within a specific business environment. Victims may also first receive “phishing” emails requesting additional details regarding the business or individual being targeted (name, travel dates, etc.).
Some individuals reported being a victim of various scareware or ransomware cyber intrusions immediately preceding a BEC incident. These intrusions can initially be facilitated through a phishing scam in which a victim receives an email from a seemingly legitimate source that contains a malicious link. The victim clicks on the link, and it downloads malware, allowing the actor(s) unfettered access to the victim’s data, including passwords or financial account information.

Scenarios of BEC
Based on IC3 complaints and other complaint data (2), there are five main scenarios by which this scam is perpetrated. BEC victims recently reported a new scenario (data theft) involving the receipt of fraudulent emails requesting either all Wage or Tax Statement (W-2) forms or a company list of Personally Identifiable Information (PII). This scenario does not always involve the request for a wire transfer; however, the business executive’s email is compromised, either spoofed or hacked, and the victims are targeted in a similar manner as described in Scenario 2 of the BEC scam. Please see the FBI’s full PSA* for details on the scenarios and characteristics of BEC complaints.
Suggestions for protection and best practices
Businesses with an increased awareness and understanding of the BEC scam are more likely to recognize when they have been targeted by BEC fraudsters, and are therefore more likely to avoid falling victim and sending fraudulent payments.
Businesses that deploy robust internal prevention techniques at all levels (especially targeting front line employees who may be the recipients of initial phishing attempts), have proven highly successful in recognizing and deflecting BEC attempts.
Consider additional IT and financial security procedures, including the implementation of a two-step verification process, such as out-of-band communication. This procedure involves establishing other communication channels, such as telephone calls, to verify significant transactions. Arrange this second-factor authentication early in the relationship and outside the email environment to avoid interception by a hacker.
See the FBI’s full PSA* for a compilation of self-protection strategies and significant changes to be aware of.
What to do if you are a victim
If funds are transferred to a fraudulent account, it is important to act quickly:
  • Contact your financial institution immediately upon discovering the fraudulent transfer
  • Request that your financial institution contact the corresponding financial institution where the fraudulent transfer was sent
  • Contact your local Federal Bureau of Investigation (FBI) office if the wire is recent. The FBI, working with the United States Department of Treasury Financial Crimes Enforcement Network, might be able to help return or freeze the funds
  • File a complaint, regardless of dollar loss, at*; more details in the FBI’s full PSA*
(1) Exposed dollar loss includes actual and attempted loss in United States dollars. 
(2) Multiple source complaint data, not limited to IC3, describing the BEC scam is dated as far back as 2009. 

Information courtesy of Federal Bureau of Investigation.

Links marked with * go to a third-party site not operated or endorsed by Arvest Bank, an FDIC-insured institution.

Tags: Arvest Biz, Business Banking
There are no comments associated with this entry.

Post a Comment

  • Website Address:

Choose one or more categories to subscribe to: