The number of successful Business Email Compromise (BEC) scams has increased significantly over the past two years, according to a new financial trend analysis report from FinCEN.
BEC scams involve gaining access to a business email account and using that account to send a request to the payroll or accounts department requesting a wire transfer be made. In order for the scam to work, the compromised account must belong to someone who has the authority to authorize a payment. The CEO or CFO for example. Access is most commonly gained through the use of malware, such as spyware and keyloggers, or through spear phishing campaigns. Nigerian gangs are now concentrating on remote access tools to gain access to the network.
In 2016, these scams most commonly involved compromising the CEO’s email account, although tactics constantly change, and it is now more common for the attackers to impersonate vendors. Emails are sent requesting payment for outstanding invoices. Oftentimes, the target is studied to determine the typical payment amounts and the fraudulent invoices are adjusted accordingly so as not to arouse suspicion. In 2018, vendor impersonation was used in 30% of attacks and accounted for 41% of total payments.
Impersonating vendors has helped attackers increase wire transfer amounts. In 2016, the average payment from a CEO fraud scam was a little over $50,000. For vendor impersonation attacks, the average transfer amount is $125,439.
FinCEN’s amalgamated data show there was an average monthly fraudulent payment total of $110 million per month in 2016. That figure rose to $241 million per month in 2017 and $301 million in 2018. The number of attacks has also been increasing steadily, from around 6,000 successful attacks in 2016, to 11,000 in 2017, and 14,000 in 2018.
The most commonly attacked industry sector was manufacturing/construction, which accounted for 25% of all attacks. Commercial services were in second place, followed by the real estate sector.
In most cases (73%), the transfers were made to domestic bank accounts under the control of the attackers. That does not mean that the attackers reside in the U.S., only that is where the bank is located. Money mules are used to withdraw the funds from the accounts and distribute the money throughout the network, often transferring the money overseas.
Figures from the FBI’s Internet Crimes Complaint Center suggest the total losses to BEC attacks in 2018 was $1.2 billion, which makes these attacks responsible for the greatest losses to cybercrime.