Business Email Compromise (BEC) schemes, where executives are scammed via social engineering and phishing compromises that ultimately lead to fraudulent wire transfers, grew at a jaw-dropping rate of 2,370 percent in the last two years.
The FBI yesterday published its latest statistics on these unrelenting crimes, which have been reported in all 50 states in the U.S. and in 131 countries.
Most of the stolen money, the FBI said, has been funneled to banks in China and Hong Kong, and since late 2013, businesses have suffered more than $5.3 billion in losses.
“Most victims report using wire transfers as a common method of transferring funds for business purposes; however, some victims report using checks as a common method of payment,” the FBI said in its report. “The fraudsters will use the method most commonly associated with their victim’s normal business practices.”
The fraud has evolved beyond duping executives into transferring money into mule accounts, to now including requests for personal information, and tax forms such as W-2s for employees.
Usually, these scams aren’t very technical, though more and more, fraudsters are making use of cybercrime strategies such as phishing and enticing victims into clicking on links that install malware on a victim’s computer. The bad guys are clearly winning here.
In the U.S. between last June and December, the FBI recorded complaints totaling more than $346 million in losses from 3,044 incidents from domestic victims. Non-U.S. losses reported to the FBI were higher: more than $448 million for the same six-month period.
Cumulatively from October 2013 to December 2016, the FBI has recorded more than 40,000 incidents and more than $5.3 billion in losses.
“The victims of the BEC/EAC scam range from small businesses to large corporations. The victims continue to deal in a wide variety of goods and services, indicating that no specific sector is targeted more than another,” the FBI said. “It is largely unknown how victims are selected; however, the subjects monitor and study their selected victims using social engineering techniques prior to initiating the BEC scam.”
The FBI said malware is being used by more of these scammers in advance of a Business Email Compromise, foregoing lengthy social engineering and reconnaissance for a more direct method of gaining access to email and financial accounts.
The FBI also identified five typical scenarios ripe for abuse. These include scams where the fraudster poses as a foreign supplier with whom the victim has a relationship, or scenarios where an executive’s email account has been taken over and a request is made on their behalf to someone else in the company to initiate a wire transfer to a mule account.
In other cases, the fraudsters may pose as attorneys and pressure executives to wire money in order to resolve supposedly time sensitive matters; these requests are often made at the end of a business day or prior to a weekend or long holiday break.
Fraudsters are also targeting departments within businesses such as human resources, bookkeeping and auditing that handle personal information and tax forms. The FBI said this aspect to these scams began prior to the 2016 tax season.
Researchers at Dell-SecureWorks have been particularly keen on learning more about BEC scammers, and since last August have published extensive reports on the inner workings of these fraud operations.
Insight into a Nigerian “waya-waya” operation targeting manufacturing, chemical and other high-value industries, showed how the attackers used malware to gain a man-in-the-middle position on email communication, intercepting and redirecting executives’ messages in order to cash in.
At RSA Conference earlier this year, the researchers used their own social engineering to help shut down another Nigerian scammer by gaining his trust, learning his tradecraft and how to speak his language. This level of interdiction allowed the researchers to ultimately use a blend of technical and interpersonal means to learn personal information about the attacker and put him out of business.