Email fraud keeps getting worse. More prevalent, more insidious. More sneaky.
The FBI’s Internet Crime Center (IC3) logged a whopping 241,206 complaints in the four-and-a-half-year period ending December 2021, with losses totaling $43 billion, according to a new FBI public service announcement.
Business Email Compromise (BEC, also known as Email Account Compromise or EAC) was the biggest category of cybercrime by financial losses in 2021, according to IC3. BEC cost businesses $2.4 billion in 2021, up from $1.8 billion in 2020.
If you’re in the US (and you likely are, if you’re reading this), US losses, as recorded by the FBI, are much larger than losses reported by victims in non-US jurisdictions. Between October 2013 and December 2021 (an 8-year period), 116,401 US victims reported total losses of $14.8 billion. In that period, 5,260 non-US victims reported losses of $1.27 billion.
But what the heck is this “business email compromise”?
Bad actors send an email message to you or one of your people that appears to come from someone they know, like a vendor partner or even the company CEO. In that message, they make what seem to be legitimate requests – but they’re really not. For example…
- The vendor email includes an invoice with an updated mailing address and instructions to make a payment.
- The email from the company CEO is to an administrative staff person asks the admin person to purchase a bunch of gift cards and send a spreadsheet with the serial numbers so she can email everyone with their surprise gift.
- Someone purchasing a home receives a message from their title company (not really) with instructions on wiring his down payment.
BEC is a global problem. The scam has been reported in all 50 US states and by victims in 177 countries. Meanwhile, over 140 countries have received fraudulent transfers, according to IC3. However, banks located in Thailand and Hong Kong were the primary destination for the funds, followed by China, Mexico, and Singapore.
How do they do it?
There are several ways in which a scanner can set your company up for a BEC attack. One of the more frequently used is to spoof an email account or a website. If your operations manager got an email from “you” instructing her to go buy 50 Amazon gift cards, would she do it? She might, if the email came from firstname.lastname@example.org – even though you spell your last name “JacobsOn.” That subtle difference is seldom caught by the eye when we see something that LOOKS like what we expect.
Another tactic is spearphishing emails – where the messages look like they’re from a trusted sender but they’re really after confidential information that gives scammers the details they need to mount a BEC attack. And let’s not forget good old malware that infiltrates company networks and exposes data, including passwords and financial account information.
BEC scams are considered a sophisticated ruse that targets business and individuals who are duped into wiring funds to the scammer’s account under the belief they are performing a legitimate transaction at management’s request.
The graphic below is from the FBI website. I’ve linked the image to the article on FBI.gov if you’d like to read it. (It will open in a new tab for you.)
It’s getting worse, and even crypto is exposed
The FBI believes the pandemic and the shift to everything online spurred a 65% growth in BEC fraud losses between July 2019 and December 2021. “Between July 2019 and December 2021, there was a 65% increase in identified global exposed losses, meaning the dollar loss that includes both actual and attempted loss in United States dollars,” IC3 notes.
“This increase can be partly attributed to the restrictions placed on normal business practices during the COVID-19 pandemic, which caused more workplaces and individuals to conduct routine business virtually.”
It also reports an uptick in complaints involving cryptocurrency transfers.
The value of cryptocurrency today had a market cap of $3 trillion in November 2021, up from just $14 billion five years ago, the US secretary of the Treasury recently noted.
Second hop transfers often involves tricking the victim into providing identity documents, such as a driver’s license or passport, which the attacker uses to open cryptocurrency wallets in the victim’s name. In 2020, IC3 received reports of $10 million in losses from victims involving cryptocurrency. By 2021, the value of cryptocurrency-related losses ballooned to $40 million.
FBI advice for protecting yourself includes:
- Use two-factor authentication to verify requests for changes in account information.
- Ensure the URL(Internet address) in emails is associated with the business or individual it claims to be from.
- Be alert to fake hyperlinks that may contain misspellings of the actual domain name.
- Avoid supplying login credentials or personal information via email.
- Verify the email address used to send emails, especially when using a mobile or handheld device, by ensuring the sender’s address appears to match who it is coming from.
- Ensure the settings in employees’ computers allow full email extensions to be viewed.
- Monitor your personal financial accounts on a regular basis for irregularities.
Remember, once the money has been wired to another account, the likelihood of retrieving it is dismal. Develop internal processes that have more than one person involved in wire transfers and keep your cybersecurity insurance current. Be safe!