The FBI’s IC3 unit is warning that email swindling scams, known as business email compromise, have now conned businesses and individuals to wire $12.5 billion to scammer accounts in the last five years.
According to IC3, the value of reported losses to BEC scams have more than doubled between December 2016 and May 2018 and they’re happening to victims in all 50 states in the US and in 150 countries.
Now IC3 is calling BEC — where fraudster’s study a target and compromise email account of CEOs or finance administrators to orchestrate misdirected transfers— a”12 billion dollar scam” . That’s still smaller than some estimates of the cost of cybercrime to consumers, which Symantec said in 2017 reached $172 billion.
The new figures nonetheless mark a massive increase IC3’s November 2017 BEC update where it reported total worldwide “exposed losses” at $5.3 billion and 40,203 victims in the US and abroad.
Exposed losses include actual and attempted scams in the US, so actual losses may be smaller assuming all instances of BEC fraud are known to the FBI.
“Last week’s FBI announcement that business email compromise attacks have resulted in more than $12.5 billion in losses worldwide shines a necessary light on the real-world financial impact that email fraud and account compromise can have on organizations,” Tim Bentley, vice president of Proofpoit APJ, told CSO Online.
“These new figures compound our recent research findings that email fraud attacks hit more than 90% of organizations in the first three months of this year and the total number rose 103% year-over-year. While these numbers are substantial, it’s worth noting that many cyberattack incidents of this nature are either underreported or unreported each year.”
The $12 billion exposed losses is based on BEC complaints to law enforcement and reports from financial institutions made between October 2013 and May 2018. Domestic and international complaints about BEC have climbed to 78,617
Losses reported directly from victims of BEC fraud were significantly less, but represent a massive windfall for BEC perpetrators. Between June 2016 to May 18 victims reported to IC3 that BEC fraudsters conned victims into sending $1.6 billion to 19,335 accounts. There were also 11,452 fraudsters outside the US who received $1.7 billion.
Some of those fraudsters were arrested in June following a six month investigation by the FBI, which netted 42 alleged BEC fraudsters in the US, 29 in Nigeria, and three in Canada, Mauritius and Poland.
BEC scammers have shown a preference for real estate businesses, which may make sense given the larger amount of funds being transferred in a property transaction and the number of parties involved, including the real estate, lawyers, title companies and buyers and sellers.
The scam is simple. After compromising one of the parties’ accounts, the victim receives an email request to transfer the money to fraudster’s account, often in the US but primarily to accounts at Chinese and Kong Kong banks. After receiving the funds to US accounts, the fraudster quickly withdraws the money from ATMs and then shuts the account to frustrate investigations.
US-based money mules are often recruited to participate in real estate BEC fraud by opening their own accounts for receiving BEC funds. Surprisingly they’re often recruited through romance scams.
“Based on victim complaint data, BEC/EAC scams targeting the real estate sector are on the rise. From calendar year 2015 to calendar year 2017, there was over an 1100% rise in the number of BEC/EAC victims reporting the real estate transaction angle and an almost 2200% rise in the reported monetary loss. May 2018 reported the highest number of BEC/EAC real estate victims since 2015, and September 2017 reported the highest victim loss.
“Email has become a top attack vector for BEC/EAC attackers because it is a much more effective, easier path for them to navigate than hacking into a targeted organization’s infrastructure.” said Bentley.
“No matter what an organization’s security architecture looks like, attackers are adept at using two of the most powerful information tools of our era—LinkedIn and Google—to conduct reconnaissance on potential individuals to target. Exploiting the email communication channel through highly personalized, social engineering messages allows them to easily impersonate a trusted employee or partner.”
The FBI offers several pieces of advise to help real-estate parties to identify a BEC scam in the making. It recommends all parties verify any request for change i payment type or location, for example changes from check to a wire transfer.
It also advises real-estate agents revealing email address in real-estate listing which could give roe BEC fraudster vital details to begin the con. One of the largest known local instances of BEC affair resulted in Brisbane City Council wiring $450,000 in 9 payments to an account they believed was a supplier.
BEC fraud is also a growing threat to Australian business. Australian Criminal Intelligence Commission (ACIC) reported last August
Real-estate agents also need to be wary of phone calls from imposters seeking personal information for supposed verification purposes.
“Financial institutions report phone calls acknowledging a change in payment type and/or location. Some victims report they were unable to distinguish the fraudulent phone conversation from legitimate conversations. One way to counter act this fraudulent activity, is to establish code phrases that would only be known to the two legitimate parties, IC3 notes.
Join the newsletter!