FBI Announcement on BEC Scams Reveals Losses Up to $43 Billion

The Federal Bureau of Investigation (FBI) has released a public service statement cautioning about the risk of Business Email Compromise/Email Account Compromise (BEC/EAC) frauds. The number of attacks documented by the FBI Internet Crime Complaint Center (IC3) and the sum of money lost because of these scams is growing every year. Losses due to BEC/EAC scams went up by 65% from July 2019 to December 2021.

BEC/EAC scams are the major reason for losses to cybercrime. From June 2016 to December 2021, IC3 obtained 241,206 complaints concerning local and international BEC/EAC attacks having documented losses greater than $43.3 billion. The IC3 2021 Internet Crime Report reveals that affected individuals reported losses involving $2.4 billion in 2021 associated with 19,954 complaints – about a third of all losses due to cybercrime in 2021. The exact losses due to these scams are unquestionably much larger, as numerous affected individuals do not submit scam reports to the FBI, particularly when losses are fairly small.

BEC/EAC scams entail breaching email accounts and utilizing those accounts to send out email messages to companies and people who execute legit funds transfers asking for bogus transfers or modifications to bank account details for forthcoming payments. Statistical information indicates that the transfers’ destination accounts are most often offshore. The FBI states bogus transfers to banks located in 140 nations had been made, with Thailand leading the list then Singapore, Hong Kong, Mexico, and China.

The number of complaints regarding BEC/EAC scams relating to cryptocurrencies is increasing. BEC/EAC scams concerning cryptocurrencies had been received by IC3 initially in 2018 during which losses were below $5 million. In 2021, the reported cryptocurrency losses due to BEC/EAC scams were $40 million.

Although it is typical for scammers to attack big companies that regularly conduct transfers of huge amounts of money, companies of different sizes were attacked such as small local companies and individuals. The FBI claims scams were reported locally in the 50 states, and from victims located in 177 nations.

BEC/EAC scams are done often because the success rate and the ROI are very high. Bogus transfers are frequently for thousands up to millions of dollars. The high success rate is a result of trust abuse. The emails asking for transfers were from trusted individuals’ email accounts, like company managers, vendors, and enterprise partners, and the transfer requests or bank account adjustments are often not validated. The scams may also target sensitive information, for example, the personally identifiable data of workers in W-2 forms.

Businesses and people ought to do something to be secure against BEC/EAC scams. These tricks usually begin with phishing emails to acquire credentials to email accounts, therefore using a spam filtering tool to stop the preliminary phishing emails can aid in preventing the compromise of email accounts. 2-factor authentication must likewise be put in place to avoid the use of stolen credentials to gain access to email accounts. Password guidelines must be adopted and enacted to avoid the use of weak passwords, which are susceptible to brute force attacks.

Companies ought to do security awareness training to educate workers on how to identify phishing emails as well as BEC/EAC scams then teach them to be skeptical of any email message that asks for PII or login credentials of any kind. The email messages may appear to originate from trusted people and the basis for giving data usually looks legit.

It is essential to confirm the email address employed to send email messages to make sure that the name and email address of the sender match, and to cautiously examine any URLs in email messages to be sure they are linked to the company or individual they assert to be from. Workers must be cautious of hyperlinks that might include misspelled name of the actual domain. Workers’ computers and company-issued mobile phones ought to be set up to permit the viewing of complete email extensions.

Considering that these scams usually involve breached email accounts of the company and of vendors, it is necessary to have secondary channels or two-factor authentication to validate requests for alterations to username and passwords and wire transfers, and companies and individuals must keep track of their financial accounts carefully for problems like lost deposits.

Affected individuals of BEC/EAC scams must promptly report the occurrences to their financial company and ask for a refund, and must additionally submit a complaint with IC3. The Recovery Assist Team of IC3 started the Financial Fraud Kill Chain (FFKC) in 2021 for 1,726 BEC complaints affecting domestic to domestic financial transactions with a possible $443,448,237 in losses and obtained a 74% success rate, freezing of funds amounting to $329 million.

Twitter Facebook LinkedIn Reddit Copy link Link copied to clipboard
Photo of author

Posted by

Mark Wilson

Mark Wilson is a news reporter specializing in information technology cyber security. Mark has contributed to leading publications and spoken at international forums with a focus on cybersecurity threats and the importance of data privacy. Mark is a computer science graduate.