Two Types of Business Email Compromise: What the FBI Wants You to Know

Updated 07/27/2022

Cybersecurity | News

Two Types of Business Email Compromise: What the FBI Wants You to Know

The FBI's Internet Crime Complaint Center (IC3) has released an update to 2019's PSA (I-091019-PSA) regarding Business Email Compromise/Email Account Compromise (BEC/EAC).

Overview

BEC/EAC is a scam that targets individuals who have permission to perform transfer-of-funds requests, whether for their accounts or those of an organization.

BEC/EAC is also used for stealing personally identifiable information (PII), cryptocurrency, and other sensitive data.

BEC/EAC is usually carried out via social engineering, such as phishing emails, or compromised networks, and email accounts. The scam has grown in popularity since the Covid-19 pandemic because employees have had to perform these same duties from their home networks, which are inherently less secure.

Between July 2019 and December 2021, there has been a 65% increase in identified global exposed losses, which includes both actual and attempted losses in U.S. dollars.

BEC has been reported in all 50 states in the U.S. and 177 countries, with 2021's data showing banks in Thailand and Hong Kong at the top of the list for receiving funds. Previously in the top two, China has now fallen to third, followed by Mexico and Singapore.

Two Types of BEC

IC3 has tracked two types of BEC ( Direct transfer and Second Hop) using cryptocurrency. There has been an increased number of complaints to IC3 involving cryptocurrency. Cryptocurrency is an entirely virtual form of payment, meaning it lends itself to anonymity, speedy transactions, and popularity with criminals.

  1. Direct transfer is the traditional form of past BEC incidents where a scammer has a cryptocurrency wallet set up ahead of time for funds to enter. Then, they send altered transfer information to the victim, and the victim sends payment unknowingly to the cryptocurrency exchange.
  2. Second Hop takes advantage of victims of other cons where PII is provided, such as extortion scams, tech support scams, or romance scams.

    The criminal uses the PII from the first victim to open a cryptocurrency wallet, the altered transfer information is sent to the second victim, and victim #2 sends money to victim #1. Once the money is received, victim #1 puts it in their wallet, where the criminal is waiting to withdraw it.

Cryptocurrency wasn't reported as part of BEC scams specifically until 2018. In 2021, reports showed the highest numbers to date, with just over $40 million in exposed losses. IC3 expects these numbers to grow as time goes on.

Statistics

According to reports to IC3, law enforcement, and information derived from financial institutions, between June 2016 and December 2021:

  • Domestic and international incidents - 241,206
  • Domestic and international incidents exposed dollar loss - $43,312,749,946

Information gathered from victim complaints to IC3 between October 2013 and December 2021:

  • Total U.S. victims - 116,401
  • Total exposed dollar loss - $14,762,978,290
  • Total non-U.S. victims - 5,260
  • Total non-U.S. exposed dollar loss - $1,277,131,099

Information gathered from victim complaints to IC3 between June 2016 and December 2021:

  • Total U.S. financial recipients: 59,324
  • Total U.S. financial recipient exposed dollar loss: $9,153,274,323
  • Total non-U.S. financial recipients: 19,731
  • Total non-U.S. financial recipient exposed dollar loss: $7,859,268,158

Recommendations:

  • Utilize two-factor authentication and secondary channels to ensure requests for changes in account information are legitimate.
  • Check the URLs in emails and ensure they are associated with the business it claims to be from.
  • Misspellings in hyperlinks showing domain names are a red flag.
  • Don't provide PII or login credentials via email.
  • Verify the email address in an email matches the sender.
  • Employee computers should be enabled to allow viewing of the entire email extension.
  • Monitor your financial accounts for irregularities.

If you are a victim of a fraud incident, call your financial institution and request and recall of funds. If any amount is lost, file a complaint with IC3 at www.ic3.gov as soon as possible. BEC/EAC victims can use www.BEC.ic3.gov.

References:

  1. Internet Crime Complaint Center (IC3) | Business Email Compromise: The $43 Billion Scam