Companies around the world have lost over $3 billion to Business Email Compromise (BEC) scams, with over $960 million lost just in U.S. companies alone, according to the FBI’s Internet Crime Complaint Center (IC3).
The latest IC3 PSA comes just ten months after a previous alert on BEC scams issued in August 2015, when the FBI said businesses lost over $1.2 billion.
The damage from BEC scams more than doubled in the last year, and a possible reason may be the fact that there have been some high-profile cases that have shown criminals they can steal more than a few thousand dollars.
For example, FACC, an airplane parts manufacturer from Austria, lost $56.79 million in a BEC scam this past January. The company fired its CEO at the start of June, citing his inability to detect the fraud.
A few days after the FACC incident, Belgian Bank Crelan said it lost $75.8 million in a similar scam.
At the end of March, toy maker Mattel also said one of its executives ended up scammed for $3 million. In that case, the company was able to recover its money thanks to a public holiday in China that delayed the criminals’ operations.
The $3 billion mark includes data from October 2013 to May 2016, but the FBI said that, since January 2015, its IC3 center has seen a 1,300 percent rise in BEC complaints.
The agency recorded at least a victim in each U.S. state, along with victims from another 100 countries. The FBI said stolen money ended up sent to 79 different countries, but most went to China and Hong Kong.
Most of the victims said fraudulent transactions occurred via wire transfers, but bad guys also used checks whenever they could.
Some of the tactics scammers use include hacking into the email accounts of a company’s high-ranking execs, and then requesting an urgent payment with the CEO or CFO.
Additionally, the CFO or CEO email accounts can end up hacked as well, and in this scenario, the scammers, posing as the high-ranking execs, request their financial departments to wire money using an official order.
Scammers don’t necessarily have to hack a company’s email accounts, and the FBI said it has seen cases where suppliers end up hacked, and they then request urgent payments, but to the scammers’ bank accounts.
Furthermore, scammers who can’t hack an email account usually register look-alike domains and rely on social engineering and the carelessness of a company’s financial department employees.
Since last August, the FBI also said it detected a new scam tactic in which crooks don’t require payment, but ask HR departments for W-2 employment forms. These forms contain a lot of sensitive information that scammers can use for fraudulent tax returns, or even sell the stolen data on the Dark Web.
A characteristic of BEC scams the FBI found is scammers regularly target enterprises that employ free email domains instead of private email servers.
Companies that use Yahoo, Gmail, or Hotmail are more targeted than those that use custom domains like firstname.lastname@example.org.
Additionally, the FBI also warns against employees who use personal email addresses for work-related activities.
“Businesses that deploy robust internal prevention techniques at all levels (especially targeting front line employees who may be the recipients of initial phishing attempts), have proven highly successful in recognizing and deflecting BEC attempts,” the FBI said.