Business e-mail compromise – BEC crimes are a serious problem for companies, hackers have sought to steal more than $3.1 billion from businesses exploiting this practice, the Federal Bureau of Investigation recently warned.
The data are even more worrisome if we consider the increment of BEC crimes observed in the last year, according to the FBI losses represent a 1,300 percent increase since January 2015.
Last update on data related BEC scams was shared by the FBI in an alert issued in April 2016, according to the Bureau, the cyber criminals have stolen more than $2.3bn from 17,642 victims since 2013 in BEC attacks. Each company has lost between $25,000 and $75,000 per attack.
What is a BEC scam?
“BEC is defined as a sophisticated scam targeting businesses working with foreign suppliers and/or businesses that regularly perform wire transfer payments. The scam is carried out by compromising legitimate business e-mail accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds.” reported the last Public Service Announcement (PSA). “Most victims report using wire transfers as a common method of transferring funds for business purposes; however, some victims report using checks as a common method of payment. The fraudsters will use the method most commonly associated with their victim’s normal business practices.”
Scammers use to pretend to be executives that send emails to employees that tricked into thinking the messages are legit, hand over sensitive information to the attackers.
The impact of such kind of scams could be dramatic, the Austrian engineering firm FACC which designs Airbus, Boeing aero parts lost about 50 million euros ($55 million) due to a BEC scam.
In May, the FBI issued the annual Internet Crime Complaint Center (IC3) report that indicates 7,838 victims reported the loss of more than $263 million.
Now the FBI has updated its data reporting 22,143 worldwide BEC victims representing $3.1 billion in losses since January 2015. In the US the FBI counted 14,032 U.S. BEC victims representing $961 million dollars in losses between October 2013 and May 2016.
The data is alarming for the US authorities, 88 percent of all worldwide victims being U.S.-based and 90 percent of losses coming from US businesses.
“The BEC scam continues to grow, evolve, and target businesses of all sizes. Since January 2015, there has been a 1,300% increase in identified exposed losses. The scam has been reported by victims in all 50 states and in 100 countries. Reports indicate that fraudulent transfers have been sent to 79 countries with the majority going to Asian banks located within China and Hong Kong.“ continues the PSA.
In order to avoid such kind of scams, the FBI recommends companies control the attack surface, carefully manage every corporate information is shared online, especially hierarchical information, job descriptions, and out of office details. Be suspicious of requests for secrecy or pressure to take action quickly. Consider additional IT and financial security procedures, including the implementation of
Let me close with statistics included in the PSA:
Domestic and International victims: 22,143
Combined exposed dollar loss: $3,086,250,090
The following BEC statistics were reported in victim complaints to the IC3 from October 2013 to May 2016:
Domestic and International victims: 15,668
Combined exposed dollar loss: $1,053,849,635
Total U.S. victims: 14,032
Total U.S. exposed dollar loss: $960,708,616
Total non-U.S. victims: 1,636
Total non-U.S. exposed dollar loss: $93,141,019
(Security Affairs – Business e-mail compromise BEC , FBI)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.