What is Business Email Compromise (BEC)
A BEC attack begins with a cybercriminal hacking email accounts, cybersquatting lookalike domains while making them email capable, and spoofing emails to impersonate your company’s supervisors, CEO, counterparties, or vendors. The email looks authentic, seems to come from a known authority figure, so the employee complies. Typically, the fraudster will ask for money to be wired or checks to be deposited, whatever the usual business practice. However, this scam has evolved by using the same technique to steal employee’s personally identifiable information, or wage and tax forms (ex. W-2).
HOW DO FRAUDSTERS UTILIZE BUSINESS EMAIL COMPROMISE?
There are two main culprits when it comes to BEC. The most common BEC attack is from non-lookalike domains. These attacks include name spoofing and non-lookalike domain spoofing. This attack happens on a high frequency and is well publicized.
The most dangerous BEC attack is when bad actors buy lookalike web domains and make them email capable. The goal is to pretend to be you, a colleague while communicating to vendors, counterparties or fellow employees. This is a dangerous alternative to spoofing because protections put in place will not stop these emails. Furthermore, these lookalike domains are also used for cybersquatting, phishing, and attempts to redirect the companies’ web traffic. These types of attacks go far beyond BEC.
This problem is compounded with a lack of training and outdated policies and procedures. When an employee reads an email with a strong sense of urgency, pressuring him or her to ignore or bypass your employer’s policies. It is vital for employees to always follow work-related policies and procedures, even if the email appears to come from your boss or the CEO. Therefore, organizations must have up-to-date policies and procedures to make sure employees are fully educated and adhering to rules.
KNOWN HIGH PROFILE CASES
- January 2015: Xoom – Internet money transfer service, San Francisco, CA. Lost $30.8 million. Recovered $0. The CFO resigned.
- January 2016: FACC AG – Aerospace company, Austria. Lost $50 million. Recovered $10.9 million. CEO and CFO were fired
- April 2016: Schletter Group – Worldwide manufacturer, North American division. Lost W-2 Information of all 200 employees. Employees filed a class-action lawsuit, and the court allowed the employees to seek treble damages from Schletter.
- May 2016: Crelan Bank – Belgium. Lost $70 million. Recovered $0.
- September 2016: SS&C Technologies Holdings – Financial services software firm, Windsor, CT. Lost $5.9 million. Recovered $Unknown. The CEO was ousted, and the company is now facing a $10 million lawsuit by Tillage Commodities Fund, the firm whose money was lost.
- January 2017: Campbell County Health, Wyoming. Lost 1,457 Employee Social Security Numbers.
- March 2017: Facebook & Google. Lost $123 million. Recovered most of the loss.
- June 2017: Southern Oregon University. Lost $1.9 million. Recovered $0
- July 2017: Gorbel – US manufacturing company. Lost $82,000. Recovered $0
- September 2017: Japan Airlines. Lost $3.39 million. Recovered $0.
- December 2017: O’Neill, Bragg & Staffin – Pennsylvania law firm. Lost $580,000. Recovered $0. Lost lawsuit filed against Bank of America, claiming the bank was responsible for not stopping the transaction. The firm is now permanently closed.
- July 2018: City of Alamogordo, New Mexico. Lost $250,000. Recovered $0
- November 2018: Pathé – French cinema chain, film production, and distribution company. Lost $21 million. Recovered unknown. Managing Director and CFO fired.
DEPTH OF BEC – FBI 2018 FINDINGS
In 2018, the FBI’s Internet Crime Complaint Center (IC3) received 62,321 Business Email Compromise (BEC), phishing, and spoofing complaints with adjusted losses of $1.41 billion (BEC alone was $1.2 billion). Overall, 2018 saw a 92% increase in internet crimes with total losses over $2.7 billion with over 350,000 incidents.
BEC attacks accounted for 44% of total monetary loss by internet crimes, targeting businesses and individuals performing wire transfer payments. The scam is frequently carried out when a subject compromises legitimate business email accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds.
BEC is continuously evolving as scammers become more sophisticated. In 2013, BEC scams routinely began with the hacking or spoofing of the email accounts of chief executive officers or chief financial officers, and fraudulent emails were sent requesting wire payments be sent to fraudulent locations. Through the years, the scam has seen personal emails compromised, vendor emails compromised, spoofed lawyer email accounts, requests for W-2 information, and the targeting of the real estate sector.
The IC3, unfortunately, does not have the manpower to take on each incident. Last year there were over 350,000 internet crimes reported with only 1,031 incidents the FBI intervened in.
Data and Graph provided by IC3.gov