Business Email Compromise is Costing Businesses Billions

Would you ignore an email from your boss? Scammers know you probably won’t.

An in-depth investigative study by the Better Business Bureau finds that business email compromise scams are skyrocketing in frequency and have cost businesses and other organizations more than $3 billion since 2016.

This serious and growing fraud has tripled over the last three years, jumping 50% in the first three months of 2018 compared to the same period in 2017. In 2018, 80% of businesses received at least one of these emails. From 2016 through May 2019, the Internet Crime Complaint Center (IC3) received 58,571 complaints on BEC fraud, with reported losses in the U.S. totaling $3.1 billion. BBB’s report finds that the average BEC loss involving wire transfers is $35,000, while the average loss involving gift cards is $1,000 to $2,000. However, the cost to businesses can be much higher: Google and Facebook lost more than $100 million to BEC fraud before the perpetrator was arrested in 2017.

Business email compromise (BEC) fraud is an email phishing scam that typically targets people who pay bills in businesses, government and nonprofit organizations. It affects both big and small organizations, and it has resulted in more losses than any other type of fraud in the U.S., according to the Federal Bureau of Investigations (FBI).

What is BEC fraud?

BEC fraud takes many forms, but in essence, the scammer poses as a reliable source who sends an email from a spoofed or hacked account to an accountant or chief financial officer (CFO), asking them to wire money, buy gift cards or send personal information, often for a plausible reason. If money is sent, it goes into an account controlled by the con artist.

The FBI recognizes at least six types of activity as BEC or email account compromise (EAC) fraud, which differ based on who appears to be the email sender – a chief executive officer (CEO) asking the CFO to wire money to someone, a vendor or supplier requesting a change in invoice payment, executives requesting copies of employee tax information, senior employees seeking to have their pay deposited into a new bank account, an employer or clergyman asking the recipient to buy gift cards on their behalf, even a realtor or title company redirecting proceeds from a real estate sale into a new account. These targeted email phishing scams are sometimes called “spear phishing.”

The investigative study – “Is That Email Really From ‘The Boss?’ The Explosion of Business Email Compromise Scams (BEC)” – looks at the prevalence of BEC scams and the criminal systems that perpetrate them. It digs into the scope of the problem, who is behind it, the multi-pronged fight to stop it and the steps consumers can take to avoid it.

Is This Happening in Connecticut?

In September 2018, a defendant was sentenced in New Haven to 32 months of imprisonment and three years of supervised release for his participation in a scheme that fraudulently obtained the W-2 information of approximately 1,600 Glastonbury Public Schools employees. This resulted in 122 suspicious Forms 1040 filed electronically with the IRS in the name of victims with claimed tax refunds totaling $596,897. According to court documents, an employee of the Glastonbury Public Schools received an email that appeared to be sent by another Glastonbury school system employee. The email contained a request to send W-2 tax information for all employees of the school system.

In December 2018, a defendant was sentenced in New Haven to 45 months of imprisonment for his role in a scheme that targeted hundreds, if not thousands, of CEOs, CFOs, controllers and others at businesses, nonprofit organizations, and schools in Connecticut and across the United States. As part of the scheme, the defendant and others sent e-mails addressed to executives that were made to appear to be sent from the legitimate e-mail address of the CEO or other executive from the business. The emails were sent with the intent of having the recipients send or wire money to bank accounts used by members of the conspiracy.

Also in December 2018, Fairfield’s Save the Children said it was the victim of a $1 million cyber scam. According to the organization, they said hackers infiltrated an employee’s email, posed as another employee, and created false invoices and other documents to fool the charity into sending nearly $1 million to a fraudulent entity in Japan.

Who is Behind this Fraud?

According to BBB’s report, the majority of defendants who have been arrested or charged for BEC fraud in the U.S. over the last three years are of Nigerian origin. The report says 90% of BEC groups operate out of Nigeria, with other Nigerian fraud groups operating from the U.S., Canada and many other countries around the world.

How to protect your organization

BBB Serving Connecticut urges businesses and other organizations to take the following technical precautions in order to protect themselves from BEC fraud.

  • Require multifactor authentication. Examples include sending a text message with a code that must be entered to log in, answering a phone call to a number designated by the user or using thumbprints to unlock smartphones.
  • Change settings so that all emails coming from outside an organization are flagged with a warning. For example, one setting identifies emails from outside the organization, and when delivered, a line is added in red type stating: “This email comes from an external email address.”
  • Monitor email rules. In situations where someone has hacked into email accounts, fraudsters often set rules that automatically forward all emails to them and prevent the real email account owner from noticing.
  • Limit the number of times people can enter incorrect login information. This will stop brute force attacks that try many different passwords until they find one that works.
  • Verify changes in information about customers, employees or vendors. Crooks can log into online accounts and change account information, phone numbers and email or mailing addresses to ones they control. If an employee or vendor claims that their contact information has changed, ensure that the old contact information is no longer active by trying to reach the person using the old information.
  • Confirm requests by phone before acting. Most BEC fraud could probably be stopped if employees who were directed to send money simply called the person supposedly asking them to send money and ask them to confirm it. Emails aren’t sufficient to ensure you are talking to the right person. Pick up the phone or walk down the hall.
  • Train all employees in internet security. Busy executives may just label this “an IT issue” and leave it to the staff to handle. IT staff may not be aware of the scope of risks, and some IT measures require comprehensive staff training in order to be effective.

What to do if your organization has lost money to a BEC fraud

  • If an organization finds that it has been a victim of a BEC fraud, it needs to immediately call its bank to stop the payment and report it to the FBI. If a report is filed within 48 hours, there is a chance the money can be recovered.
  • Complain to the FBI’sInternet Crime Complaint Center. IC3 also asks people to report unsuccessful BEC attempts as well.
  • Report fraud toBBB Scam Tracker