Business email compromise (BEC) attacks are cybersecurity threats that all business leaders — not just those with “Security” in their titles — should be taking note of for three simple reasons:
- They directly target individuals with means and access.
- They often skirt technical defenses.
- A single successful attack can deliver a crippling financial blow.
The US Federal Bureau of Investigation (FBI) has been tracking BEC — also known as email fraud and email account compromise (EAC) — domestically and globally since October 2013. The recent trends related to fraudulent wire transfers and unauthorized disclosures of employee data are alarming:
- Total identified global exposed losses now exceed $12.5 billion (up from $5.3 billion in December 2016).
- More than 30,000 victim complaints were submitted between June 2016 and May 2018 via the recently launched Internet Crime Complaint Center (IC3) compliant form.
- BEC scams targeting the real estate sector rose more than 1,100% between 2015 and 2017.
- Wage and tax documentation BEC scams extend the threat beyond wire transfers and continue to grow. The US Internal Revenue Service (IRS) indicated it received approximately 900 reports of Form W-2 scams in 2017 (compared to just over 100 reports in 2016).
As was noted in the recent Proofpoint Email Fraud Threat Report, this issue affects organizations of all sizes, in all sectors. And the numbers don’t lie: In comparing the BEC statistics from the last four FBI public service announcements (PSAs) about this threat, it’s clear that cybercriminals have firmly embraced this form of social engineering attack.
August 2015 FBI PSA
|
June 2016 FBI PSA
|
May 2017 FBI PSA
|
July 2018 FBI PSA
|
More than $1.2 billion in identified exposed losses
|
Nearly $3.1 billion in identified exposed losses
|
More than $5.3 billion in identified exposed losses
|
More than $12.5 billion in identified exposed losses
|
8,179 global reported incidents
|
22,143 global reported incidents
|
40,203 global reported incidents
|
78,617 global reported incidents
|
BEC scams reported in 79 countries
|
BEC scams reported in 100 countries
|
BEC scams reported in 131 countries
|
BEC scams reported in 150 countries
|
Fraudulent transfers
sent to 72 countries
|
Fraudulent transfers sent to 79 countries
|
Fraudulent transfers sent to 103 countries
|
Fraudulent transfers sent to 115 countries
|
Note: All data points (unless otherwise noted) represent cumulative global totals tracked from a start date of October 2013.
To Defend Against BEC Attacks, You Must Engage Your Employees
There is no escaping the fact that people are the last line of defense against BEC attacks. Cybercriminals are using phishing emails, vishing (voice phishing) phone calls, pretexting, and other social engineering techniques to craft highly believable BEC campaigns designed to trick your end users into making costly mistakes. Technical safeguards can only do so much — that’s why security awareness training about this particular topic is so critical.
When it comes to BEC prevention, the I’s have it:
- Identify potential targets within your organization (like controllers, accountants, HR representatives, etc.).
- Inform users about the BEC threat and the ways cybercriminals will try to mislead them (our infographic can help).
- Instruct users to be immediately suspicious of any payment request that includes “updated” banking or routing information.
- Implement a form of two-factor authentication — like a voice-to-voice confirmation — for wire transfers and requests for employees’ tax or person.