Business email compromise (BEC) scams are the leading cause of losses to cybercrime. According to the U.S. Federal Bureau of Investigation (FBI), reported losses between June 2016 and December 2021 exceeded $43.3 billion. These scams, also known as email account compromise (EAC), involve compromising a business email account and using it to send emails to individuals responsible for making wire transfers and tricking them into making a fraudulent wire transfer, changing bank account information for upcoming payments, changing the direct deposit information for employees, or requesting sensitive employee data such as W-2 forms.
These attacks have been increasing in prevalence each year, and the losses to these scams continue to grow. Between July 2019 and December 2021, losses reported to the FBI’s Internet Crime Complaint Center (IC3) increased by 65%. BEC scams have been reported to the FBI by victims in all 50 states and in 177 countries worldwide, and more than 140 countries have received fraudulent transfers, most commonly Thailand, Hong Kong, China, Mexico, and Singapore.
While these scams typically involve money transfers, there has been an increase in BEC scams involving cryptocurrencies. IC3 first started receiving complaints about BEC scams involving cryptocurrencies in 2018, when cryptocurrency losses of less than $5 million were reported. In 2021, losses of $40 million were reported. These scams involve BEC scammers tricking victims into making direct transfers of funds to cryptocurrency custodial accounts, or alternatively second hop transfers.
Second hop transfers involve victims of previous scams such as romance fraud, where their identity documents are obtained and used by the BEC actor to create a cryptocurrency account in the fraud victim’s name. The BEC actor then tricks the BEC victim into sending a cryptocurrency payment to the fraud victim, and the funds are moved to the cryptocurrency account under the control of the BEC actor.
BEC scams are often successful and can involve large payments, which makes them lucrative for threat actors. Since a trusted email account is compromised and used for the scam, the requests are often not questioned. The CEO’s email account is used to send a transfer request to an employee in the finance department, the wire transfer is made, and the funds are withdrawn from the attacker’s account before the scam is detected.
Defending against these attacks requires a combination of technical controls, administrative safeguards, and security awareness training. The initial phishing emails that are used to obtain credentials for email accounts can be blocked with a spam filter, and 2-factor authentication should be used on all email accounts to stop stolen credentials from being used. Security awareness training should teach employees about the risks of phishing and BEC attacks, train them how to recognize scam emails, and condition them to check links in emails and look for red flags such as mismatching names and email addresses and URLs that are not associated with the business or individual being impersonated.
Any request for a wire transfer, change of payment method, or bank account change should be verified using a secondary communication channel using previously verified contact information, not those provided in emails. The FBI also recommends setting up employee computers to allow full email extensions to be viewed and to ensure that financial accounts are closely monitored. Rapid detection of the scam can allow action to be taken to freeze funds. The scam should be immediately reported to the appropriate financial institution, then reported to IC3.