Business Email Compromise Scams Cost Businesses Millions in Losses
Business Email Compromise (BEC) is a type of online scam that targets businesses that use wire transfers for payments. The US Federal Bureau (FBI) reports that since January 2015, there has been a 1,300% rise in financial losses totaling over $3 billion USD. Hackers stole $1.3 billion from companies in 2018, twice the amount of 2017 losses.
Business Email Compromise scams are also known as Man-in-the-Email scams or Email Account Compromises. This type of online scam has been tracked by the FBI’s Internet Crime Complaint Center (IC3) since 2013. Companies in all 50 states and over 100 countries have been targeted. Victims include large corporations, non-profits, churches, and schools. BEC scams target organizations of all sizes but have evolved to victimizing larger companies that can afford to pay more. Hackers use combinations of online cyber attacks like spear phishing emails, social engineering, identity theft, e-mail spoofing, and malware to establish trust with potential victims. After patiently building a relationship with an employee via email or social media, the targeted employee is eventually tricked into wire transferring money to a bank account the hacker has access to.
In one cyber attack vector, social engineering is used to gain access to an employee’s email account by resetting passwords. Many times, social media accounts contain the answers to common password rest questions, like “What city were you born in?” When hackers gain access to an employee’s legitimate email account, they use it to send out emails to employees or business partners who are authorized to send wire transfers. The victims are tricked into paying fraudulent invoices or other business expenses. If the hacker has compromised an email account or an entire IT system, they may be able to convince an employee to pay a legitimate invoice but the money is wired to the wrong bank account.
Sometimes hackers can convince an employee a wire transfer request originates from the CEO or other executive level employee. Corporate email addresses can be gleaned from company websites, press releases, or LinkedIn profiles. Passwords are stolen through social engineering, malware using keyloggers, or phishing emails.
Hackers may also trick employees who don’t scrutinize their emails carefully enough into thinking the email originates from a legitimate corporate email address. The friendly name of an incoming email is easy to spoof. To ensure an email is from a legitimate sender, the recipient must look carefully at the email box name and not just the named used to sign the email. If the email contains suspicious links, it is best to pick up the phone and call the alleged sender to make sure the email is legitimate.
Targeting corporations rather than individuals is more lucrative for hackers and scammers. Individuals may pay a small fee to free their device or files from ransomware, but a large corporation can afford more and may likely have an insurance policy to cover the costs of a data breach.
Types of Business Email Compromise (BEC)
- Bogus Invoice Scheme – Companies that use foreign vendors are targeted with emails requesting a wire transfer to pay fraudulent invoices. If paid, the money goes to a bank account the hacker can access, including those used by money mules.
- CEO Fraud – Hackers posing as executive level employees send spear phishing emails to employees who can authorize a wire transfer. That money be sent to their bank accounts
- Email Account Compromise – Hackers compromise a corporate email account and use it to send legitimate or fraudulent invoices to vendors. Wire transfers are routed to the hacker’s bank account.
- Attorney Impersonation – Hackers impersonating attorneys request personal information in phishing emails or over the phone from human resource employees for use in future spear phishing attacks
- Employee Data Theft – This type of BEC scam is also called the W2 scam. Hackers try to trick human resource employees into sending employee W2 forms in bulk, so they can use it for future spear phishing emails or identity theft.
What is a Phishing Email Scam?
Phishing emails are malicious emails sent to victims for criminal purposes. Often scammers are trying to steal money from phishing email recipients by convincing them to send banking information, credit cards numbers, or passwords in an email. Often, the recipient is directed to a spoof website that looks very similar to a website the recipient has a financial relationship with. The phishing email scam victim may be encouraged to rest a password when in reality they are giving their login information to hackers.
Phishing emails may be used to gather personal information for another, more targeted form of an email scam, the spear phishing email. While phishing emails tend to be sent out to hundreds or thousands of potential victims, thus said to be fishing for a response, the spear phishing email is very targeted at one person or one organization. The hacker who sends spear phishing email has already collected personal information about the recipient like name, workplace, or other personal details. Spear phishing emails are dangerous because the recipient feels they know the sender somehow.