FBI Warns Business Email Compromise Scams Losses Have Increased Every Year
The US Federal Bureau of Investigation (FBI) Internet Crime Complaint Center (IC3) issued a PSA warning business that hackers are targeting cloud-based email services to steal money from the businesses that use them. Cyberattacks of this nature are known as Business Email Compromise (BEC) scams and accounted for $2.1 billion in reported losses between January 2014 and October 2019.
BEC scams often use a targeted phish kit, or spoofed backend, designed to look and function like the cloud-based email service. The targeted employee is tricked into giving up login credentials that leads to compromised business email accounts. The email account is scanned to look for evidence of financial transactions. In the end, the hacked email account is used to request or misdirect transfers of funds.
Cloud-based email services, like Microsoft Office 365, Amazon WorkMail, and Google G Suite, provide email service as well as shared calendars, file storage, and team messaging apps as subscription services. Some cloud-based services may also provide cyber security features like email phishing protection and two-factor or multi-factor authentication. Some of these features must be enabled by account administrators. Some cloud-based business email services charge more for these security features while others may provide these for no additional cost. These security features can help prevent BEC scams.
What are BEC Scams?
A Business Email Compromise occurs when a hacker gains access to a legitimate business email account and uses it to initiate or redirect an unauthorized money transfer to a bank account the hacker can access. The email accounts are often compromised using social engineering with information taken from corporate websites, press releases, or social media. BEC scams can also use information from malware attacks like infostealers and spyware.
Criminals impersonate email communications between compromised businesses, employees, business partners or third parties, such as vendors or customers. Businesses that routinely process electronic payments like wire transfers are typical targets of BEC scams.
In March 2020, the bookkeeper for Shark Tank host Barbara Corcoran was fooled into paying a fraudulent invoice. The malicious email appeared to come from Corcoran’s assistant and asked for payment for a real estate related transaction. This made sense for Corcoran’s line of work. But the nature of the email contained information that is easily gleaned from the internet especially when a high-profile person is targeted.
The creditor details were closely named for a German company Corcoran actually does business with. So, the bookkeeper paid it without verifying the email sender or the company requesting payment. Fortunately, they realized the error and with the cooperation of a German bank, the $388,700 wire transfer was recovered.
“Losses from BEC scams overall have increased every year since IC3 began tracking the scam in 2013. BEC scams have been reported in all 50 states and in 177 countries. Small and medium-size organizations, or those with limited IT resources, are most vulnerable to BEC scams because of the costs of robust cyber defense.” the FBI said in the PSA.
Recommendations for Cloud Email Users
It is important to protect account login credentials. Often humans are the weakest link in online account security. System administrators should enable alerts to warn them about suspicious activity, such as foreign logins.
- Use two-factor authentication (2FA) on all email accounts. If available, enable multi-factor authentication
- Verify all payments in person or by calling the payment recipient using a known telephone number. Do not use the phone number the creditor supplies
- Train employees to recognize online scams including BEC scams
- Teach employees about how to recognize and report phishing emails
- Educate employees on how to respond to suspected account compromises
- Establish protocols for help desk employees to follow when responding to requests for resetting passwords or account login credentials
- System Administrators should not allow users to forward emails to external email addresses
- Email filtering polices should be set up to block suspected phishing emails and certain types of email attachments
- Email protocols, such as POP, IMAP, and SMTP should not be allowed
If reported within 24 hours, unauthorized wire transfers can often be recalled by your financial institution.
