In a recent public service announcement released by the Federal Bureau of Investigation’s Internet Crime Complaint Center (IC3) revealed the true extent and costs associated with Business Email Compromise (BEC) scams. IC3 in the announcement reported that there had been a 100% increase in BEC scams for the period of May 2018 to June 2019. BEC scams involve the spoofing of corporate email accounts known for conducting wire transfers across the globe to suppliers in different countries. Using numerous techniques, malware variants, and social engineering the scammers fraudulently wire funds, or in some cases convince employees to wire funds, to accounts under their control. These scams have seen increased rates of success as scammers often started impersonating CEOs and other positions of power to better trick employees.
In the announcement not only is the increase in such attacks given but the number of complaints received by the department. From June 2016 IC3 received 166,349 complaints both domestically and internationally. The department estimated that such scams have resulted in an estimated dollar loss of 26 billion. Importantly the scams do not only target large corporation but small and medium-sized businesses as well. A factor to be considered in the 100% increase is the increased awareness, both in the public and corporate spheres, of the scams. This increased awareness has attributed to more victims reporting complaints and opening cases. Such scams have been reported in 177 countries, along with funds been fraudulently sent from nearly 140 countries.
The data and statistics were compiled by IC3 along with data received by international and domestic law enforcement agencies across the globe. Along with law enforcement agencies, financial institutions also contributed data to create a better picture of the scams and the financial losses it causes.
The announcement also defines other scams as BEC scams. IC3 also now classifies payroll diversion schemes that include an intrusion event with this type of fraud. This type of scam involves the attacker from gaining employee credentials via a phishing attack, then by using those credentials to change a victim’s banking details to ones controlled by the attacker. Salaries and wages are then paid to the attacker. The total loss recorded for such payroll diversion scams has amounted to over eight million USD, and a total of 1,053 complaints received since 2013. IC3 stated that,
“Payroll diversion schemes that include an intrusion event have been reported to the IC3 for several years. Only recently, however, have these schemes been directly connected to BEC actors through IC3 complaints.”
In defending against such attacks the IC3 advises the following precautionary measures:
- Use secondary channels or two-factor authentication to verify requests for changes in account information.
- Ensure the URL in emails is associated with the business it claims to be from.
- Be alert to hyperlinks that may contain misspellings of the actual domain name.
- Refrain from supplying login credentials or PII in response to any emails.
- Monitor their personal financial accounts on a regular basis for irregularities, such as missing deposits.
- Keep all software patches on and all systems updated.
- Verify the email address used to send emails, especially when using a mobile or handheld device by ensuring the senders address email address appears to match who it is coming from.
- Ensure the settings the employees’ computer are enabled to allow full email extensions to be viewed.
Not All Bad News
In conjunction with the announcement by IC3, the US Department of Justice issued a press release detailing the arrests of 281 people over a four-month period in relation to BEC scams. The arrests come as part of Operation reWired which was a coordinated effort between US law enforcement agencies as well as multiple law enforcement agencies from several countries. The Department of Justice (DoJ) summarised Operation reWired as,
“a significant coordinated effort to disrupt Business Email Compromise (BEC) schemes that are designed to intercept and hijack wire transfers from businesses and individuals, including many senior citizens.”
Further, according to Chief Don Fort of IRS Criminal Investigation,
“In unraveling this complex, nationwide identity theft and tax fraud scheme, we discovered that the conspirators stole more than 250,000 identities and filed more than 10,000 fraudulent tax returns, attempting to receive more than $91 million in refunds,”
The operation resulted in 167 arrests in Nigeria, 18 in Turkey, and 15 in Ghana, with several others also made in France, Italy, Japan, Kenya, Malaysia, and the UK. Added to this the operation led to the seizure of approximately 3.7 million USD. The losses were collected by BEC scammers after redirecting wire payments as part of fraud schemes that trick businesses and individuals into sending funds to attacker-controlled bank accounts, in what appears to be the run of the mill BEC scams described above.
While the arrests and wire transfers managed to be recalled and sent to the sending accounts is undoubtedly good news, the operation is good news for another reason. The operation, funded and coordinated by the FBI, can serve as a future blueprint for further operations which involve international cooperation. Following the successes of No More Ransom, it is hoped that further arrests will follow other operations looking to curb cybercrime. Further, the DoJ advises that if you believe you are a victim of a BEC scam you are encouraged to file a complaint with IC3, further they explain the work of IC3 as,
“The IC3 staff reviews complaints, looking for patterns or other indicators of significant criminal activity and refers to investigative packages of complaints to the appropriate law enforcement authorities in a particular city or region. The FBI provides a variety of resources relating to BEC through the IC3, which can be reached at www.ic3.gov.”