The amount of money that enterprises in the United States are losing to business email compromise scams is growing at an alarming rate, and is now well into the billions of dollars, according to the FBI.
BEC scams, also known as CEO or executive impersonation schemes, are the evolution of phishing attacks and rely on the criminals’ ability to convince a key member of an organization to transfer money to an account the attackers control. As simple as the scam is in concept, there are a number of moving parts that all must work in unison for the theft to succeed. Most importantly, someone inside the target organization has to fall for the ruse.
Based on the FBI’s data, plenty of people are doing just that. The bureau said that since the beginning of 2015, businesses in the U.S. have lost more than $3 billion to BEC scams. These schemes can be crippling for victimized businesses, as some of the incidents involve losses in the tens or hundreds of thousands of dollars. Last year, one firm lost $98 million in a BEC scam that lasted several months.
“BEC is a serious threat on a global scale,” Special Agent Martin Licciardo, an organized crime investigator at the FBI’s Washington Field Office, said. “And the criminal organizations that perpetrate these frauds are continually honing their techniques to exploit unsuspecting victims.”
A typical BEC scam begins with the attackers selecting a target and doing long-term reconnaissance on the organization and its employees. The attackers will spend weeks or months learning how the organization operations, what vendors and partners it uses, the banks and holding companies it does business with, and the way that financial authority is distributed. They then will identify a specific victim inside the organization, sometimes an accountant or an employee in the finance department, and will send an email impersonating the CEO, directing the victim to transfer money to an account the attackers control.
The emails usually have some element of urgency, telling the recipient that the transfer is needed for an acquisition or some other time-sensitive event. The criminals often will use a bank that the target organization uses and sometimes will impersonate a vendor rather than the CEO. The tactics change as the scams evolve.
“The ability of these criminal groups to compromise legitimate business e-mail accounts is staggering,” Licciardo said. “They are experts at deception.”
The groups behind BEC scams are democratic in choosing their victims. They don’t target only large enterprises, and will go after smaller businesses that may not have sophisticated defenses or financial processes.
Image: Sebastien Wiertz, CC By Nd license.