The FBI's Internet Crime Complaint Center (IC3) has released an update to 2019's PSA (I-091019-PSA) regarding Business Email Compromise/Email Account Compromise (BEC/EAC).
BEC/EAC is a scam that targets individuals who have permission to perform transfer-of-funds requests, whether for their accounts or those of an organization.
BEC/EAC is also used for stealing personally identifiable information (PII), cryptocurrency, and other sensitive data.
BEC/EAC is usually carried out via social engineering, such as phishing emails, or compromised networks, and email accounts. The scam has grown in popularity since the Covid-19 pandemic because employees have had to perform these same duties from their home networks, which are inherently less secure.
Between July 2019 and December 2021, there has been a 65% increase in identified global exposed losses, which includes both actual and attempted losses in U.S. dollars.
BEC has been reported in all 50 states in the U.S. and 177 countries, with 2021's data showing banks in Thailand and Hong Kong at the top of the list for receiving funds. Previously in the top two, China has now fallen to third, followed by Mexico and Singapore.
IC3 has tracked two types of BEC ( Direct transfer and Second Hop) using cryptocurrency. There has been an increased number of complaints to IC3 involving cryptocurrency. Cryptocurrency is an entirely virtual form of payment, meaning it lends itself to anonymity, speedy transactions, and popularity with criminals.
Cryptocurrency wasn't reported as part of BEC scams specifically until 2018. In 2021, reports showed the highest numbers to date, with just over $40 million in exposed losses. IC3 expects these numbers to grow as time goes on.
According to reports to IC3, law enforcement, and information derived from financial institutions, between June 2016 and December 2021:
Information gathered from victim complaints to IC3 between October 2013 and December 2021:
Information gathered from victim complaints to IC3 between June 2016 and December 2021:
If you are a victim of a fraud incident, call your financial institution and request and recall of funds. If any amount is lost, file a complaint with IC3 at www.ic3.gov as soon as possible. BEC/EAC victims can use www.BEC.ic3.gov.