FBI: Business Email Compromise Scams Steal $214m in 2014

IC3 warning about business email compromise scams

Business email compromise scams trick corporate executives, employees and clients into transferring business funds to criminal bank accounts in China.

The FBI’s Internet Crime Complaint Center (IC3) is sounding the alarm on a type of fraud they are calling business email compromise (BEC) scams.

The scheme, formerly known as a man-in-the-email attack, comes in three distinct flavors, each of which is ultimately designed to dupe corporate employees or clients into wire transferring business funds into the hands of criminals. BEC fraud mostly targets companies who regularly perform wire transfers with foreign suppliers and other International third parties.

The IC3 says it has received BEC-related complaints from every U.S. state and some 45 countries. Between October 2013 and December 2014, the digital division of the FBI says BEC schemes took 1,198 U.S. victims for an astounding $179,755,367.08. Outside the U.S., the IC3 says there have been 938 victims suffering losses of $35,217,136.22. In all, that’s 2,126 victims of BEC crime and $214,972,503.30 in related losses.

The scam variants generally unfold as follows, according to the IC3:

The first – sometimes referred to as “The Bogus Invoice Scheme,” “The Supplier Swindle” and “Invoice Modification Scheme” – is essentially a social engineering scam where the attackers contact their target company via spoofed email, telephone or fax and ask for a wire transfer to an alternative account controlled by criminals or their money mules. The transfer requests are designed to look legitimate and often require intense scrutiny to be recognized as fraudulent.

The second is also called “CEO Fraud,” “Business Executive Scam,” “Masquerading,” and “Financial Industry Wire Frauds.” In this variant, the criminals compromise the email accounts of company executives and then send urgent transfer requests to the employee in charge of processing transfer requests or even directly to their financial institutions.

The third, unfortunately, does not have any alias, but attackers make it work by compromising lower-level employee email accounts and sending money transfer requests to multiple vendors identified from this employee’s contact list. The requests would route transfers into accounts controlled by the criminals. Oftentimes, the IC3 says, the businesses sending these fraudulent requests are unaware of them until vendors or clients start contacting them about suspicious invoices.

Once money is moved out of a company, the criminals perpetrating BEC fraud then disperse the funds by transferring the stolen money again several times through a number of different money transfer services. In the end, the money is said to end up in bank accounts located in mainland China and Hong Kong.

The IC3 claims that BEC schemes mostly target businesses and personnel using open source email services, which is why they recommend that companies avoid using free email. The criminals are mostly targeting individuals responsible for handling wire transfers within target organizations. However, in many instances, the attackers are known to target an employee’s personal email account rather than a work account.

Unlike many similar spam and phishing schemes, BECs are marked by their use of well-worded and carefully crafted emails. Phrases like “code to admin expenses” or “urgent wire transfer” appear across the scheme. The dollar amount noted on the wire transfer request is business specific, says the IC3, so dollar amounts requested are similar to normal business transaction amounts.

Fraudulent emails frequently coincided with travel dates for executives whose emails were compromised and victims have reported that IP addresses trace back to free domain registrars.

IC3 is advising companies to take stock of what kind of information they post in publicly viewable places and how that information can be used by hackers. Companies should also be wary of urgent or secretive requests. Large transactions, they say, should be confirmed by out-of-band communication like a phone call.

You can find a longer list of protective suggestions on the IC3’s BEC public service announcement.

Suggested articles