What is Business Email Compromise?
Business Email Compromise (BEC) is a sophisticated scam targeting businesses that perform wire transfers and/or ACH payments. The scam is carried out when business email accounts are compromised to conduct unauthorized funds transfers, most commonly, wire transfers and/or ACH payments. The cybercriminal could, however, try to conduct unauthorized funds transfers through methods the victim would normally use (i.e. checks).
Victims of BEC can range from small businesses to large corporations and anywhere in between, with the selection of victims being largely unknown. The cybercriminals study their victims to identify individuals and procedures within the company so they can perform unauthorized funds transfers or wire transfers.
BEC continues to grow, evolve and target businesses of all sizes. Between December 2016 and May 2018, there was an increase of 136% in identified global exposed losses – which include actual losses and attempted losses. The BEC scam has been reported in all 50 states and in 150 countries. From October 2013 to December 2018, there was a domestic and international exposed dollar loss of $12,536,948,229.
The following BEC statistics were reported in victim complaints to the IC3 from October 2013 to May 2018:
- Total US victims: $41,058
- Total US exposed dollar loss: $2,935,161,457
Scenarios of BEC
There are multiple scenarios a victim might see if they are scammed with Business Email Compromise.
- Foreign Supplier. A cybercriminal will spoof a foreign supplier’s invoice to request payment to an account different than the normal payment would go to. Contact is made to the business as the supplier would normally make contact (i.e. phone, fax, email, etc.).
- Business Executive. A cybercriminal hacks or spoofs a business executive’s (i.e. CEO, CFO) email account to send an email to another employee requesting a transfer of funds, normally a wire transfer, to the cybercriminal’s fraudulent account.
- Compromise Personal Email. An employee’s personal email account is hacked and the email is used for both personal and business communication. The email is then used to request invoice payments from a vendor to a fraudulent bank account.
- Attorney Impersonation. Victims are contacted by cybercriminals posing as lawyers or representatives of law firms, claiming to be handling confidential and/or time-sensitive matters. The cybercriminal will discuss the need for funds transfer.
- Data Theft. Much like the Business Executive scenario, a cybercriminal hacks or spoofs a business executive’s email account, but instead of requesting funds transfer they request W-2s or other personally identifiable information.
Suggestions for Protection
- Be aware of the BEC scam to avoid falling victim.
- Use robust internal prevention techniques at all levels.
- Avoid free web-based email accounts (i.e. Gmail, Yahoo, etc.).
- Be suspicious of requests for secrecy or pressure to take action quickly.
- Scrutinize all emails requesting transfer of funds.
If You Are a Victim…
- As soon as you discover the fraudulent transfer, immediately contact your financial institution.
- Request that your financial institution contact the corresponding financial institution where the fraudulent transfer was sent.
- Contact your local Federal Bureau of Investigation (FBI) office if the wire is recent. The FBI, working with the United States Treasury Financial Crimes Enforcement Network (FinCEN), might be able to help return the funds.
- File a complaint, regardless of dollar loss, with www.ic3.gov.
When contacting law enforcement or filing a complaint with IC3, it is important to identify your incident as BEC. Also, consider providing the following information:
- Originating business name, originating financial institution and address, originating account number
- Beneficiary name, beneficiary financial institution name and address, beneficiary account number
- Correspondent bank, if known or applicable
- Dates and amounts transferred
- Email address of fraudulent email
You should provide as much detailed information as possible, including, but not limited to:
- Date and time of incidents
- Highly detailed information regarding the fraudulent phone calls and/or emails
- Email address and/or phone numbers used for the fraudulent contact(s)