Email is the preferred communication method for businesses around the world. It’s also the preferred attack vector for cybercriminals due to its ease of use and low cost, and since the beginning days of email, spam techniques have continued to evolve into a variety of sophisticated threats.
One particularly menacing threat that is continuing to grow in popularity is Business Email Compromise (BEC).
BEC attacks (also known as whaling, spear-phishing or CEO fraud) use various deception tactics to impersonate a trusted contact. They employ a combination of research and social engineering techniques to impersonate business executives, real-estate firms, title companies, law firms, and even the FBI in an attempt to elicit transfers of large sums of money or the exchange of personally identifiable information (PII), which can be used in future BEC attacks and other types of cybercrime. Victims of BEC attacks are often tricked into believing they are carrying out a routine transaction, such as filling an order with a supplier, transferring funds for an executive, or sending sensitive data to an HR representative.
With the exception of those with spoofed sender addresses, many BEC attacks are sent from valid email addresses using credentials obtained through phishing, brute force attacks, or data obtained in a database breach like the ones that hit Equifax in 2017 or T-Mobile in 2019. And with Q1 2020 seeing a record number of data breaches, this trend is likely to continue.
Well-crafted BEC attacks pose a serious threat to businesses of all sizes due to their sophistication. They contain no malware, malicious links, or attachments. As a result, in many cases they are often able to bypass spam filters and secure email gateways, making them especially dangerous.
Watch Out for These Common Scams
Some of the most common examples of Business Email Compromise include:
- Real Estate Transactions: During a real estate transaction, criminals may impersonate sellers, realtors, title companies, or law firms to trick the home buyer into transferring funds into a fraudulent account.
- Data and W-2 Theft: Criminals use a spoofed or compromised executive email account to send fraudulent requests for W-2 information or other personally identifiable information to HR staff or others within the business who maintain confidential employee records.
- Supply Chain: Criminals send fraudulent wire transfer requests to redirect funds during a pending business deal, transaction, or invoice payment to an account controlled by organized crime groups.
- Law Firms: Criminals discover information about pending litigation or trusts and impersonate a law firm’s client to change the recipient bank information to a fraudulent account.
Global Losses to Business Email Compromise Doubled from 2018 to 2019
The statistics are staggering. Between June 2016 and July 2019, over 166,000 BEC incidents were reported, at an estimated total loss of over $26 billion. In just the one year period between May 2018 and July 2019, there was a 100 percent increase in reported global losses.
Based on victim complaint data, BEC scams targeting the real estate industry are on the rise. From 2015 to 2017, there was over an 1100% rise in the number of victims of real estate BEC scams and an almost 2200% rise in financial losses. May 2018 had the highest number of real estate victims since 2015, and September 2017 reported the highest victim loss.
Recent High-Profile Incidents of BEC Scams
Earlier this year, the Norwegian Investment Fund lost over $10 million to a Business Email Compromise scam.
Washington state recently lost millions of dollars in unemployment funds to an online scam.
In 2013, Google and Facebook lost over $100 million in a scheme that impersonated a large Asian manufacturer.
In August, 2017, MacEwan University lost almost $12 million to a spear-phishing campaign that impersonated a construction and contracting company.
In June, 2017, a New York judge lost over $1M in Real Estate Scam that began as an email claiming to come from her real-estate lawyer.
And in 2018, a report surfaced about a Dutch cinema chain losing over $21.5 million to a “strictly confidential” funds transfer request sent to the company’s CFO.
Despite efforts to raise awareness of these scams, BEC attacks will continue to be persistent and evasive, leading to large financial fraud losses for businesses and data breaches for healthcare and government organizations.
Why are Business Email Compromise threats so dangerous?
Business Email Compromise attacks are designed to bypass standard security mechanisms such as spam filters and anti-virus software, and are dangerous for a variety of reasons.
- They contain no malware. BEC attacks normally don’t contain malware. Instead, they use crafty social engineering to trick users into thinking they are legitimate.
- They are able to bypass many spam filters. BEC scams are often well-crafted with no spelling or grammatical errors. As a result, they are often able to bypass many spam filters.
- They are highly personalized. Scammers take their time researching the victim long before an attack is launched. They scour public websites, social media, and even the dark web to find specific information, including names and background information of company executives. Armed with this information and with knowledge of an executive’s writing style, their emails appear authentic.
What is being done to stop BEC attacks?
Multiple countries have launched a coordinated effort to dismantle international BEC schemes. This effort, known as Operation WireWire and involving the Department of Homeland Security, the Department of the Treasury, and the U.S. Postal Service, resulted in 74 arrests across multiple countries. Unfortunately, these attacks will continue as long as human nature can be exploited for personal gain. In fact, a recent report by Get Safe Online indicated that over a third (37%) of employees don’t know what to look for to identify common email scams. The report also stated that one in 20 email fraud victims were so ashamed that they hid their mistakes from their colleagues.
Businesses of all sizes must remain vigilant against these threats. As the old saying goes, knowledge is power, and knowing how BEC attacks are launched and how to identify and avoid them is key.