The FBI Updates Their Numbers And BEC Is Now A 26 Billion Dollar Scam

FBI's Internet Crime Complaint Center (IC3) says that Business Email Compromise (BEC) scams —aka CEO Fraud—are continuing to grow every year, with a 100% increase in the identified global exposed losses between May 2018 and July 2019.

Also, between June 2016 and July 2019, IC3 received victim complaints regarding 166,349 domestic and international incidents, with a total exposed dollar loss of over $26 billion. "One variation involves compromising legitimate business email accounts and requesting employees’ Personally Identifiable Information or Wage and Tax Statement (W-2) forms," adds IC3.

The scam behind losses worth billions

Even though the number of BEC scams has also grown, the heightened awareness regarding this type of fraud scheme has also contributed to more reports coming from victims from all over the world which also added to the increased exposed losses reported for the last twelve months.

BEC scams have been reported throughout all U.S. States and in 177 countries around the world according to IC3, with scam-related transfers having been sent to banks from roughly 140 countries.

While accounts from banks from China and Hong Kong were the recipients of the largest share of fraudulent transfers, the FBI has also observed "an increase of fraudulent transfers sent to the United Kingdom, Mexico, and Turkey."

Defensive measures against BEC scams

IC3 provides the following guidelines for employees containing both reactive measures and preventative strategies:

Use secondary channels or two-factor authentication to verify requests for changes in account information.
Ensure the URL in emails is associated with the business it claims to be from.
Be alert to hyperlinks that may contain misspellings of the actual domain name.
Refrain from supplying login credentials or PII in response to any emails.
Monitor their personal financial accounts on a regular basis for irregularities, such as missing deposits.
Keep all software patches on and all systems updated.
Verify the email address used to send emails, especially when using a mobile or handheld device by ensuring the senders address email address appears to match who it is coming from.
Ensure the settings the employees’ computer are enabled to allow full email extensions to be viewed.

In addition, to make sure that their employees will not fall victims to BEC attacks, companies have to implement strict vendor processes to check and authenticate payment info changes via multiple types of methods. And as always, many of the above bullets can be achieved by new-school security awareness training.

Can hackers spoof an email address of your own domain?

Are you aware that one of the first things hackers try is to see if they can spoof the email address of your CEO? If they are able to commit "CEO Fraud", penetrating your network is like taking candy from a baby.

Now they can launch a "CEO fraud" spear phishing attack on your organization, and that type of attack is very hard to defend against, unless your users are highly ‘security awareness’ trained.

Find out now if your domain can be spoofed. The Domain Spoof Test (DST) is a one-time free service. Run this test so you can address any mail server configuration issues that are found.