Business Email Compromise (BEC) is a growing cybercrime epidemic, with staggering losses to businesses and organizations of all sizes.
BEC is a scheme in which an attacker uses fraudulent email to impersonate an executive, business contact or other person to get a transfer of funds, money or sensitive information.
On July 16, 2019, the U.S. Treasury Financial Crimes Enforcement Network issued an advisory to financial institutions, which reported that BEC schemes had caused over $9 billion in losses to U.S. financial institutions and their customers since 2016. The FBI’s Internet Crime Complaint Center (IC3) 2018 Internet Crime Report (April 2019) reported that IC3 received 20,373 BEC complaints in 2018, with adjusted losses of $1.2 billion. The FBI issued a Public Service Announcement in July 2018, which reported 78,617 domestic and international incidents of BEC between October 2013 and May 2018, with $12.5 billion in exposed dollar loss.
BEC takes multiple forms. It sometimes involves spearphishing (fraudulent, targeted email) that appears to be from a business executive, business contact, or party to a transaction. It can also involve a fraudulent email from a legitimate email account to which a criminal has obtained access by social engineering or a computer intrusion. When BEC involves the takeover of a legitimate email account, it is called Email Account Compromise (EAC).
A common form of BEC is fraudulent wire transfer instructions, like a fraudulent email, appearing to be from a CEO or other senior official (COO, CFO, etc.), with instructions to immediately pay “a vendor,” or appearing to be from a vendor, with new wire transfer instructions to a criminal’s account. A variation is an email that appears to be from the attorney or real estate agent for a seller, with fraudulent payment instructions for the proceeds of a real estate sale or to a buyer to “hijack” the wire transfer of the payment of the purchase price. Another common example is the W-2 scheme, in which a fraudulent email, appearing to be from a corporate officer, directs an employee in payroll to send copies of W-2 tax forms to him or her by email. The information from the W-2s is then used to get refunds from fraudulent electronic tax returns. In schemes involving EAC, the fraudulent emails may be sent from legitimate accounts.
Businesses and organizations can best prevent BEC/EAC and mitigate losses, if they occur, by:
- adopting policies and procedures (like verifying and reconfirming payment instructions or changes and information requests – other than just by email – and prompt reporting of phishing attempts and security incidents),
- conducting ongoing security awareness training, including reminders,
- implementing security technology (like spam filters, external email flags, and use of secure email), and
- implementing incident response and prevention plans for BEC/EAC. Incident response plans should include steps like (1) notifying management, the bank, data breach counsel, the FBI and its Internet Crime Complaint Center (IC3), other law enforcement, and insurance carriers, (2) containing any compromise, by, for example, conducting a global password reset and checking for any suspicious email rules, and (3) preserving evidence.
If you have questions or would like assistance with preventing, preparing for, or responding to BEC/EAC incidents, please contact us.