FBI: Business Email Compromise (BEC) Scams Cost $5.3 Billion

Business email compromise (BEC) scams cost more than $5.3 billion globally between October 2013 and December 2016, according to data from the FBI Internet Crime Complaint Center (IC3).

In addition, there was a 2,370 percent increase in BEC fraud-related losses worldwide between January 2015 and December 2016, according to the IC3.

What Are BEC Scams?

BEC is "a sophisticated scam targeting businesses working with foreign suppliers and/or businesses that regularly perform wire transfer payments," the IC3 said in a prepared statement. It involves the use of an email account compromise (EAC) component, the IC3 said, that targets individuals who perform wire transfer payments.

BEC scams put business email accounts, personally identifiable information (PII) and employee wage and tax information at risk, the IC3 stated.

During a BEC scam, cybercriminals gain unauthorized access to legitimate business email accounts via social engineering or computer intrusion techniques, according to the IC3. When this happens, cybercriminals can conduct unauthorized transfers of funds.

Most BEC victims use wire transfers to transfer funds for business purposes, the IC3 noted. However, some victims also report using checks as a common payment method.

BEC victims have been reported in all 50 states and 131 countries, the IC3 said. Victim complaints filed with the IC3 and various financial sources indicate fraudulent transfers have been sent to 103 countries.

Asian banks located in China and Hong Kong are the primary destinations of fraudulent funds, the IC3 stated. Financial institutions in the United Kingdom have been identified as prominent destinations as well.

BEC Self-Protection Strategies

BEC victims include many small, medium and large businesses, the IC3 reported. Moreover, BEC scams continue to evolve, the IC3 said, and companies must learn about these scams to avoid becoming BEC victims

The IC3 offers several BEC self-protection strategies to businesses, including:

  • Avoid free web-based email accounts. A company can set up a domain name and establish business email accounts.
  • Consider additional IT and financial security proceduresA two-step verification process that involves the use of two-factor authentication or digital signatures can help a company bolster its email security.
  • Report and delete unsolicited email (spam) from unknown parties. By reporting and deleting spam, business users can avoid email that often contains malware that will give cybercriminals access to a company's computer system.
  • Do not use the "Reply" option to respond to business emails. For email responses, use the "Forward" option and type in the correct email address or select it from an email address book to guarantee the intended recipient's correct email address is used.

Also, the IC3 provides the following tips if business funds are transferred to a fraudulent account:

  • Contact your financial institution immediately.
  • Request that your financial institution contact the corresponding financial institution where the fraudulent transfer was sent.
  • Contact your local FBI office.
  • File a complaint with the IC3.

Ultimately, companies that deploy internal BEC prevention techniques at all levels may be better equipped than others to recognize BEC scams and mitigate their effects, IC3 stated.

Dan Kobialka

Dan Kobialka is senior contributing editor, MSSP Alert and ChannelE2E. He covers IT security, IT service provider business strategies and partner programs. Dan holds a M.A. in Print and Multimedia Journalism from Emerson College and a B.A. in English from Bridgewater State University. In his free time, Dan enjoys jogging, traveling, playing sports, touring breweries and watching football.