Spam Campaign Business E-mail Compromise Pilfers $215 Million

The FBI and Internet Crime Complaint Center warns of a very profitable spam campaign that has already claimed more than 2,000 victims globally.


The FBI and the Internet Crime Complaint Center (IC3) are warning of a spam email campaign known as the Business E-mail Compromise (BEC) that has resulted in the global victim dollar loss of $215 million so far.

The IC3 alert, which was issued on Jan. 22, provides statistics on the impact of the BEC campaign for the period of Oct. 1, 2013, to Dec. 1, 2014. During that period, the IC3 received complaints about BEC from 45 countries, with a combined victim count of 2,126. In the United States alone, the IC3 said there were 1,198 victims.

While victims in the United States represented 56 percent of all BEC victims globally, they accounted for 84 percent of the financial losses. In terms of financial losses, the BEC campaign has resulted in U.S. victim financial losses of $180 million, while the total non-U.S. victim dollar loss has been $35 million.

"The Business E-mail Compromise (BEC) is a sophisticated scam targeting businesses working with foreign suppliers and/or businesses that regularly perform wire transfer payments," the IC3 warned in its advisory.

The IC3 advisory warns of multiple BEC variants that trick unsuspecting companies into sending money to the attackers. One version of BEC asks a business to send a wire transfer to a supplier with whom the business already has a working relationship. The wire transfer account is, in fact, a fraudulent account.

"This particular version has also been referred to as 'The Bogus Invoice Scheme,' 'The Supplier Swindle,' and 'Invoice Modification Scheme,'" the IC3 warned.

In another variation of BEC, an employee's personal email account is compromised, and then fraudulent requests for invoice payment are sent to vendors on the employee's contact list.

The BEC scam warning doesn't come as a surprise to security experts contacted by eWEEK. Jonathan Spruill, senior security consultant at Trustwave, worked as a special agent in the U.S. Secret Service for nine years and has seen these kinds of scams before.

Spruill said that the dollar impact doesn't surprise him either, with attackers able to steal approximately $150,000 per victim. "It is likely within the range of what a criminal thinks they can con the victim into sending without raising suspicion," Spruill told eWEEK.

Eric Cowperthwaite, vice president of advanced security and strategy at Core Security, isn't surprised by the IC3's BEC warnings either.

"This is why I trained all of the executives about email attacks and scams and whaling attacks when I was CISO at Providence Health and Services," Cowperthwaite told eWEEK.

What did surprise Cowperthwaite was that U.S. losses were only $180 million. "This has been going on a long time; there are a lot of companies that have fallen victim to this," he said.

As to why the BEC scam is successful, Spruill said a conveyed sense of urgency, threat of legal action or other phraseology drives the victim to comply with the criminal's request.

Best Practices

The financial impact of BEC can be devastating to a company, but there are a number of proactive steps organizations can take to limit the risk. Spruill suggested that the old adage of "If it sounds too god to be true, it probably is" would prevent many from being victimized.

"It never hurts to verify the authenticity of a message and the true intentions of the purported sender if there is any doubt," Spruill said. "Using a technology product like a secure email gateway may help prevent the spoofed sender variety of these messages, and using digitally signed email may also help."

Cowperthwaite said that hardening organizations against BEC and similar attacks is an ongoing problem. He suggests that executives be trained to recognize potential attacks. There should also be accounting controls in place to limit risk.

"Finance should establish policy requiring two executives to independently authorize wire transfers above a specific amount," Cowperthwaite suggested. "The amount should be based on the risk tolerance of the company—i.e., how much financial loss can they tolerate versus the inconvenience of requiring two signatures."

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.