Business Email Compromise Scams Continue to Grow With $5.3B in Losses

The FBI revises its figures on the impact of business email compromise, revealing a significant spike in reported attacks during 2016.

BEC Email Scam

Business email compromise (BEC) scams have resulted in $5.3 billion in financial losses since October 2013, according to new data released by the Federal Bureau of Investigation's Internet Crime Complaint Center (IC3), based on global reports.

BEC fraud, also known as email account compromise (EAC), is a type of scam where an attacker uses a phishing email to trick a company into paying fraudulent invoices and accounts payable requests.

The FBI has been warning the public about the dangers of BEC since at least January 2015, when it reported that the global impact of BEC attacks from Oct. 1, 2013, to Dec. 1, 2014, totaled $215 million. In June 2016, the FBI reported that the total value of BEC-related fraud losses had cumulatively grown to $3.1 billion.

The new FBI IC3 data reports a 2,370 percent increase in BEC fraud-related losses for the period between January 2015 and December 2016.  For the six-month period of June to December 2016, U.S.-based organizations alone reported $346 million in losses. 

No state was left untouched, with BEC scams reported in all 50 states. BEC isn't just a problem that plagues the United States either, with the IC3 data showing fraud in 131 countries. Globally for the period of June to December 2016, IC3 reported BEC fraud losses of $448 million.

Looking at where the money is going, IC3 reported that victims of BEC have sent fraudulent transfers to 103 countries, though Asia and specifically China and Hong Kong are the primary destinations.

The FBI report doesn't provide any specific details on how often BEC attackers are apprehended by law enforcement. However, an alleged attacker has been arrested in a recent high-profile BEC case. On March 21, the Department of Justice charged a lone individual in connection with a BEC scam that resulted in more than $100 million in losses from a pair of U.S. corporations. 

The IC3 isn't the only group that noticed a surge in BEC attacks in the latter part of 2016. Security firm Proofpoint reported on March 23 that it saw a 45 percent increase in BEC attacks in the last three months of 2016 compared with prior months. Seventy-five percent of Proofpoint's customers were attacked with at least one BEC attempt in the last three months of 2016.

While there are many types of BEC scams, Proofpoint's analysis found that certain email subject lines and words are more common than others.  Over 70 percent of BEC fraud emails include the words “urgent,” “payment” and “request.”

In its BEC update, the IC3 provides several recommendations for how to limit the risk of BEC fraud. Among the suggestions is for organizations to have some form of out-of-band communications channel to verify any significant money transfers and payments. Additionally, since BEC can often appear to come from legitimate email accounts, the FBI recommends that organizations implement two-factor authentication on corporate email accounts.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.