What Is Worse Than Ransomware? Business Email Compromise


You are getting your Scam Of The Week early. 

Yesterday, the FBI via their Internet Crime Complaint Center announced some shocking numbers.

There is a 270 percent spike in victims and cash losses caused by a skyrocketing scam in which cyber criminals spoof emails from executives at a victim organization in a bid to execute unauthorized international wire transfers.

According to the new FBI report, thieves stole nearly 750 million in such scams from more than 7,000 victim companies in the U.S. between October 2013 and August 2015. 

In January 2015, the FBI released stats showing that between Oct. 1, 2013 and Dec. 1, 2014, some 1,198 companies lost a total of 179 million in business e-mail compromise (BEC) scams, (also known as “CEO fraud.”)

Yesterday's figures show an incredible 270 percent increase in identified victims and exposed losses. Taking into account international victims, the losses from BEC scams total more than 1.2 billion dollars, the FBI said. 

There is a clear pattern you need to watch out for. It often begins with the scammers phishing an executive, dropping a Trojan, and gaining 24/7 access to that individual’s inbox. Then they research the organization and monitor the email account for months until the right circumstances arrive, next they pounce. They spoof the CEO's address and send messages to employees in accounting from a look-alike domain name that is one or two letters off from the target company’s true domain name. 

Why worse than ransomware?

Normally the ransom is about 500 bucks. However, the FBI’s numbers indicate that the average loss for a BEC victim is a whopping 100,000 dollars. Some are much higher, earlier this month, tech firm Ubiquiti Networks disclosed in a quarterly financial report that it suffered a whopping 46.7 million hit because of a BEC scam.

We have noticed that this scam is filtering down to the consumer level. People that are in the process of buying a house and need to transfer a sizable down payment are receiving an email from their lawyer or realtor to transfer that down payment to a certain bank account. When they call the next day to check if the money has arrived, the lawyer tells them they did not send any transfer requests but the money has disappeared. The same scam is done with spoofed emails from financial brokers.

What you can do about it:

  1. Alert all your employees, from the board level down to the mail room. These scams are getting more sophisticated by the month so be on the lookout. 
  2. Grab this Social Engineering Red Flags PDF, print and laminate it, and give it to everyone. (free)
  3. Have a dual-step process in place for bank wires, always verified by phone with trusted parties.

Send this email to all your users, friends and family. Feel free to copy/paste/edit:

Criminals on the Internet have cooked up a new scam. They get you to click on a phishing link and stealthily look at what happens on your computer. Specifically they monitor your email. When it looks like your CEO is out of town, the bad guys send emails that look like they come from the CEO, with urgent requests to wire a large amount of money. Organizations that were tricked by this have lost hundreds of thousands of dollars. 

Recently, this scam has filtered down to the consumer level. The FBI calls this an Email Account Compromise (EAC). At this very moment, bad guys could be looking at your email and patiently wait until the time is right. Be very careful when you make any large bank transfers, for instance when buying a house or putting money into investment accounts. ALWAYS, ALWAYS, ALWAYS initiate contact with the other party by phone and verify that the transfer instructions are correct before you transfer the money.

Obviously all your employees need to be stepped through effective security awareness training to prevent social engineering attacks like this from getting through.  Find out how affordable this is for your organization today.  

Get A Quote Now


Topics: Phishing, CEO Fraud

Subscribe to Our Blog

Comprehensive Anti-Phishing Guide

Get the latest about social engineering

Subscribe to CyberheistNews