Financial losses from business email compromise (BEC) scams skyrocketed by 2,370% between January 2015 and December 2016, according to an FBI public service announcement released Thursday. The alarming statistic represents a sharp increase from the agency’s previous announcement, serving as a warning to users to stay vigilant in recognizing the threat.
The new announcement refers to domestic and international losses (real and potential) totaling $5.3 billion. Previously, the FBI announced a $1,300% increase in losses, between January 2015 and May 2016, totaling $3.1 billion.
This documented rise is a sobering reminder of the potential collateral damage that awaits users if they’re not mindful of suspicious emails when they appear.
In BEC scams, employees including CEOs are tricked into initiating or authorizing wire transfers, providing W2’s, or in the case of Google and Facebook paying millions in fake invoices. Attackers gain information from sources such as LinkedIn to identify potential victims and using the victim’s profile content to identify the victim’s role and possibly their supervisor and use this information to plan and launch the attack.
Our Phishing Defense Center has observed a variety of BEC messages ranging in sophistication and objectives, with some attempting to trick users into making fund transfers and others attempt to get the victim to provide information. Some BEC are easier to spot than others. Here are two examples of malicious messages that are easily identifiable, thanks, in part, to two common BEC characteristics: poor grammar and punctuation.
Here’s another phishing example that’s more obvious because (in addition to poor grammar and punctuation) it’s sent from someone the recipient has not yet met.
Because BEC targeting is extremely specific, we see less BEC reported into our Phishing Defense Center than other lucrative and wide-spread phishing threats such as ransomware and credential theft campaigns reported by our customers on a daily basis.
Unlike some wide-spread threats, BEC messages are tailored specifically to their victims, working to illicit a response by leveraging an authoritative figure requesting an urgent action, or by impersonating an outside entity with which they work on a regular basis.
Some BEC messages are written with enough detail and authority, that they seem authentic. If you removed all the tell-tale signs of scam messages, users would be easily taken in. Many are fooled, as the statistics show.
Common BEC themes PhishMe team members have observed are:
- Emails pretending to come from an authoritative figure within the company.
- Emails expressing urgent action needed.
- Emails pretending to be from outside parties contracted by the company, such as law firms or tax firms. These emails also typically have a mobile device signature in the message, seemingly to account for any grammar or punctuation errors.
The last point falls in line with findings from the recent FBI announcement – a trend in which BEC attackers are increasingly seeking information as opposed to wired funds.
“The scam has evolved to include the compromising of legitimate business e-mail accounts and requesting Personally Identifiable Information (PII) or Wage and Tax Statement (W-2) forms for employees, and may not always be associated with a request for transfer of funds,” the May 4 alert states.
Other BEC facts and trends from the FBI announcement:
- “BEC” scams are now referred to as “BEC/EAC” to include “email account compromise (EAC),” a component of BEC threats. “The techniques used in the BEC/EAC scam have become increasingly similar, prompting the IC3 (Internet Crime Complaint Center) to begin tracking these scams as a single crime type1 in 2017.”
- A 480% increase in complaints filed by title companies targeted by BEC attackers. “The BEC/EAC perpetrators were able to monitor the real estate proceeding and time the fraudulent request for a change in payment type (frequently from check to wire transfer) or a change from one account to a different account under their control.”
- A 50% increase in complaints filed by businesses using international suppliers. “In some instances, instead of requesting a change in a single remittance or invoice payment, BEC/EAC perpetrators changed the remittance location to redirect all incoming invoice payments. The fraudulent request appeared to be facilitated through a spoofed e-mail or domain.”
What is clear from the FBI announcement and PhishMe intelligence data is that BEC attacks, as with all threats, continue to grow in number and evolve to target unsuspecting users.
PhishMe offers a suite of software dedicated to helping organizations detect and respond to phishing attacks. PhishMe’s Phishing Defense Center helps customers identify and respond to BEC and other types of phishing attacks.
If you’re concerned you’ve been a victim of BEC fraud, contact the FBI at https://www.fbi.gov/contact-us
Learn why more than half of the Fortune 100 trusts PhishMe for end-to-end phishing mitigation. Request a free demo today, no obligations, no software to install.