Business-related inbox scams are reaching epidemic levels with the total cost to business reaching a whopping $3.1 billion. The dire warning comes from the FBI that says skyrocketing losses represent a 1,300 percent increase since January 2015.
Identified by the FBI as business e-mail compromise (BEC) crimes, the scams attempt to trick email recipients into money wire transfers, forwarding sensitive employee data such as W-2 data, paying fake invoices, or hijacking employee email accounts in order to use stolen email identities to win the confidence of scam targets.
The FBI has stepped up its BEC awareness campaign less than a month since it released its annual Internet Crime Complaint Center (IC3). In that report, the FBI reported U.S. businesses were hit hardest by BEC scams in 2015 with 7,838 complaints and losses of more than $263 million.
On Tuesday, the FBI refreshed those BEC numbers reporting 22,143 worldwide BEC victims representing $3.1 billion in losses since January 2015. Closer to home the FBI reports 14,032 U.S. BEC victims representing $961 million dollars in losses between October 2013 and May 2016.
The FBI data shows U.S. businesses are disproportionately affected by BEC crimes with 88 percent of all worldwide victims being U.S.-based and 90 percent of losses coming from U.S. companies.
“The BEC scam continues to grow, evolve, and target businesses of all sizes,” wrote the FBI. “The scam has been reported by victims in all 50 states and in 100 countries. Reports indicate that fraudulent transfers have been sent to 79 countries with the majority going to Asian banks located within China and Hong Kong.”
Security experts say these types of cybercrimes are difficult to protect against. “With BEC attacks there is no malware involved. You are exploiting human trust and business processes that involve email,” said Ryan Kalember, SVP cybersecurity strategy at the security firm Proofpoint in an interview with Threatpost reacting to the May IC3 report.
Despite the low-tech email attack vector, the FBI warns business e-mail compromise attacks can be extremely sophisticated. Attackers can lie in wait for extended periods of time studying whom a business does business with and what the business protocols are for wire transfers.
Security experts tell Threatpost they are seeing an uptick in elaborate and sophisticated ruses that involve CEOs, CFOs, COOs, HR departments and accounting. Attacks are become more sophisticated involving criminals going so far as monitoring a CEO’s social media feed to best time and color a fake request for a wire transfer.
The FBI says that BEC can also be springboards to other types of crimes with victims reporting romance, lottery, employment, and rental scams as well. In some instances, the FBI warns, victims are unwittingly drawn into becoming “money mules.” In these instances, money is transferred into target account and then directed to quickly transferred to a second offshore account or shell corporation.
Tips for steering clear of becoming a BEC victim, according to the FBI, include:
- Be careful what is posted to social media and company websites, especially job duties/descriptions, hierarchical information, and out of office details.
- Be suspicious of requests for secrecy or pressure to take action quickly.
- Consider additional IT and financial security procedures, including the implementation of a 2-step verification processes for out of band and communication
- Consider implementing two factor authentication for corporate e-mail accounts.
- Do not use the “Reply” option to respond to any business e-mails. Instead, use the “Forward” option and either type in the correct e-mail address or select it from the e-mail address book to ensure the intended recipient’s correct e-mail address is used.