The Continuous Growth of BEC Scams Demonstrated in the Latest FBI Report
BEC (Business Email Compromise) scams have grown to the staggering rate of 2,370 percent in the last couple of years, as reported by the FBI.
The latest FBI statistics reveal that “most victims report using wire transfers as a common method of transferring of transferring funds for business purposes; however, some victims report using checks as a common method of payment”. The stats are based on data from 50 states in the U.S. and in other 131 countries. Most of the stolen money has been funneled to banks in China and Hong Kong.
BEC scams are no longer only about scamming executives into transferring money into mule accounts. BEC scams now involve requests of personal information and tax forms such as W-2s for employees.
In the United States alone between June and December 2016, the FBI registered complaints that equal to $346 million in losses from 3,044 incidents. Losses outside the U.S. are even higher – $448 million in the same time frame.
The victims of the BEC/EAC scam range from small businesses to large corporations. The victims continue to deal in a wide variety of goods and services, indicating that no specific sector is targeted more than another. It is largely unknown how victims are selected; however, the subjects monitor and study their selected victims using social engineering techniques prior to initiating the BEC scam.
BEC Scam Prevention
In general, security solutions search for malicious documents or known blacklisted URLs to determine whether an email is suspicious. BEC scam emails, however, often lack any signs that would give away malicious intentions. BEC scams mostly rely on social engineering and exploit employees’ weaknesses, and are highly targeted. However, the fact that BEC and phishing share some similarities gives users (and employees) the chance to monitor for particular signs in the contents of such emails, as pointed out by Proofpoint researchers:
- High-level executives asking for unusual information;
- Requests to not communicate with others;
- Requests that bypass normal channels;
- Language issues and unusual date formats;
- “Reply To” addresses that do not match sender addresses;
Also, besides educating their employees (CEOs included!), companies should look into email protection services and apps.