Skip to main content

Business Email Compromise Scams Responsible for $675M in Losses in 2017

by Chris Brook on Wednesday May 9, 2018

Contact Us
Free Demo

The FBI said this week that Business Email Compromise (BEC) scams in 2017 resulted in a loss of $675M, a big jump from the year prior, when they were responsible for a loss of $360M.

As if the FBI's news around Business Email Compromise scams last year wasn't jarring enough the agency said this week the threat accounted for an adjusted loss of over $675 million last year alone.

The FBI reported last year that BEC scams were up 2,370 percent since 2015, a figure that at the time translated to a staggering $5.3 billion in losses since 2013.

The numbers, both this year’s and last, are via the FBI’s Internet Crime Report (.PDF) an annual synopsis culled from statistics gathered by the Internet Crime Complaint Center (IC3) - a portal that allows Americans citizens to submit information around internet-based criminal activity.

According to the report the IC3 received 15,690 complaints pertaining to BEC scams and EAC, or Email Account Compromise, scams. BEC scams, in their most rudimentary form, rely on executives – usually Chief Executive Officers or Chief Financial Officers – getting tricked via social engineering or phishing into carrying out fake wire transfers. Attackers usually impersonate other high-level executives and business contacts in order to deceive victims. Individuals working in the real estate sector were especially hit hard with attacks last year, mainly during transactions around properties, the FBI said this week.

EACs are similar in the sense they rely on attackers tricking individuals to send money via wire transfers, but usually stop short from targeting businesses. The FBI, for what it's worth, began distilling both attacks under a single crime type this past year.

Last month a report released by the Association for Financial Professionals said 77 percent of organizations experienced a BEC scam in 2017. 54 percent of the scams were transfers; 34 percent relied on victims signing over checks to attackers.

Blog Post

Don’t Get Hooked: How to Recognize and Avoid Phishing Attacks (Infographic)

When it comes to BEC scams attackers aren't only getting away with money. While cybercriminals were originally just keen on tricking execs into transferring money into a mule account, they've expanded over the years and now make off with personal information, along with tax data, like W-2s.

Researchers with Kaspersky Lab said last summer they've seen over 500 companies in 50 countries get hit with one BEC campaign, reportedly originating in Nigeria. Attackers managed to exfiltrate technical drawings, network diagrams, cost estimates, and project plans from victims. According to the firm screenshots of diagrams, mockups of electrical and information networks, and Autodesk AutoCAD projects were spotted on one command and control server. In that campaign operators, engineers, designers and architects, in addition to executives, from the United Arab Emirates, Russia, Germany, and India, were hit according to researchers.

An unrelated Nigerian hacking group, Gold Galleon, almost made off with $3.9 million from the maritime shipping industry between June 2017 and January 2018 before it was red flagged by Dell Secureworks last month. The threat actors usually average $6.7 million per year according to researchers, who unveiled their research at this year’s RSA Conference in San Francisco.

The FBI said Monday that most BEC scams were linked to either romance, lottery, employment, or rental opportunities. Researchers from Flashpoint echoed those sentiments this week noting that a large swathe of BEC scams have increasingly become romance-based. Ronnie Tokazowski, a senior malware analyst with the firm, said Monday that a growing number of executives - singles, divorcées, and the widowed - have been duped into sending money to lovers in disguise.

“One dating script … dates back to 2010 and has been used as recently as this March, with more than 1,600 fake posts meant to lure unsuspecting users into phony relationships,” Tokazowski wrote of one campaign.

Tags:  Security News

Recommended Resources

The Definitive Guide to DLP

All the essential information you need about DLP in one eBook.

The Ultimate Guide to Data Protection

Everything you need to know about data protection but were afraid to ask.