The FBI has urged organizations to be on high alert for business email compromise (BEC) attempts, after revealing that the cybercrime category has amassed tens of billions of dollars for threat actors over the past decade.
BEC is a form of pretexting – a type of social engineering where individuals are usually tricked into making large money transfers to a fraudster posing as a legitimate entity such as a supplier. On other occasions, the scammer impersonates a CEO or CFO and uses their authority to demand a finance team member make a wire transfer.
The threat actor often compromises email accounts and monitors messages from legitimate entities in order to make their requests sound more realistic.
The FBI’s Internet Crime Complaint Center (IC3) claimed in a notice yesterday that BEC cost US and global organizations nearly $55.5bn between October 2013 and December 2023, on the back of over 305,000 incidents.
It said that, over this 10-year period, there have been 158,436 US victims and 6545 victims from outside the country.
Read more on BEC: BEC Attacks Surge 81% in 2022
Banks in the UK and Hong Kong often act as intermediary stops for funds as they’re transferred to accounts under the control of the BEC fraudsters, the IC3 added.
“The BEC scam continues to target small local businesses to larger corporations, and personal transactions while evolving in their techniques to access those business or personal accounts. Between December 2022 and December 2023, there was a 9% increase in identified global exposed losses,” it said.
“In 2023, the IC3 saw a growth in BEC reporting where funds were sent directly to a financial institution housing custodial accounts held by third-party payment processors, or peer-to-peer payment processors, and cryptocurrency exchanges which directly contributed to the increase in global exposed losses.”
Victims are urged to contact their bank immediately if they discover a fraudulent BEC wire transfer.
The FBI had the following advice to mitigate BEC risk:
- Use multi-factor authentication (MFA) and a second pair of eyes to verify requests for changes in account information
- Use unique passwords for every online service and try to change them periodically
- Ensure the URL in emails is associated with the business/individual it claims to be from
- Watch out for hyperlinks that might contain misspellings of the real domain name
- Never hand over login credentials or personal identifiable information (PII) via email, even if the requests appear to be legitimate
- Verify sender email addresses, especially when using a mobile or handheld device, by ensuring it matches who it is coming from
- Ensure employee computer settings allow full email extensions to be viewed
- Monitor financial accounts on a regular basis for irregularities, such as missing deposits