Business E-mail Compromise scams
A spear phishing hacking group, working out of the United Kingdom and Nigeria, has been using business email compromise (BEC) scams and have stolen more than $12 million. This group targeted small and midsize businesses from various industry groups such as manufacturers, hotels, universities, cloud service operators, and so on. This group was finally caught during the first week of December 2018, after nearly a year running this scam, when they inadvertently targeted the CFO of an email security firm.
According to FBI, BEC scams are becoming popular and growingly effective for cybercrimes. BEC scams have caused more than $12 billion in losses since 2013, and the threat is increasing in terms of exposed losses. These scams have been reported in all the 50 states of US and over 150 countries. The destination banks are usually located in China, Hong Kong, UK, Mexico, and Turkey.
Scammers use the IRS W-2 forms and other Personally Identifiable Information (PII) requests to build their campaigns. Year-end enrollment is one of major sources of PII requests.
Attackers portray as someone in higher power of authority, such as CEO or CFO, and target the middle management, who would fear questioning or delaying the request, in order to verify.
|Number of incidents||78,617|
|Exposed dollar loss||$12,536,948,299|
Suggestions for Protection
- The best defense is to verify all requests for a change in payment type/location/method. BEC actors often request that payment methods or financial information be changed.
- Establish a secondary means of communication for verification. It would be helpful if there is a face-to-face meeting to verify the electronic or telephone conversations, when possible.
- Management encourage/appreciate employees’ precautionary approach and observant behavior when dealing with electronic or remote communication.
- At any stage, if you discover a fraudulent transfer, contact your financial institution immediately and request a recall. Contact the FBI and report the case. Law enforcement might be able to help in recovery if reported immediately.