#1 Internet Crime with the Highest Losses? Business Email Compromise

In 2018, the FBI’s Internet Crime Complaint Center (IC3) received 20,373 Business Email Compromise (BEC)/Email Account Compromise (EAC) complaints with adjusted losses of more than $1.2 billion. This was the largest IC3-reported loss category by $900 million, and the number of complaints and loss amounts have been increasing each year.

What is Business Email Compromise and Email Account Compromise?

BEC/EAC is a scam that targets both businesses and individuals performing wire transfer payments. The scam is frequently carried out when a subject compromises legitimate business email accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds.

Initial BEC/EAC scams involved hacking or spoofing the email accounts of chief executive officers or chief financial officers. Fraudulent emails requested wire payments be sent to fraudulent locations. The scam has continued to evolve, resulting in compromised personal and vendor emails, spoofed lawyer emails, requests for W-2 information and targeting of the real estate sector.

In 2018, the IC3 received an increase in the number of BEC/EAC complaints requesting victims purchase gift cards. The victims received a spoofed email, a spoofed phone call or a spoofed text from a person in authority, requesting the victim purchase multiple gift cards for either personal or business reasons.

While the specifics vary from case to case, there are five main scenarios for this scam:

1. Business Working with a Supplier – a business that has a longstanding relationship with a supplier is asked to wire funds for an invoice payment to an alternate, fraudulent account.
2. Business Executive Receiving or Initiating a Request for a Wire Transfer – a request for a wire transfer is spoofed from a high-level business executive to a second employee within the company who is typically responsible for processing these requests.
3. Business Contacts Receiving Fraudulent Correspondence through Compromised Email – requests for invoice payments to a fraudster-controlled bank account is sent from an employee’s spoofed or hacked personal email to vendors identified from the employee’s contact list.
4. Business Executive and Attorney Impersonation – fraudsters identify themselves as representatives of law firms and claim to be handling confidential or time-sensitive matters and request a transfer of funds.
5. Data Theft – fraudulent requests are sent using a business executive’s compromised email to HR, bookkeeping or auditing asking for W-2 forms or personally identifiable information (PII).

What can be done?

The FBI offers a few tips to avoid becoming a victim:

• Be suspicious of requests for secrecy or to take action quickly
• Always confirm wire requests, and if the request is made by email, confirm with the person making the request via a channel other than email
• Exercise caution with a sudden change in business practices, such as a request to send a wire to a personal email instead of the usual business email address
• Scrutinize all email requests for anything out of the ordinary, such as a new vendor payment location
• Do not feel pressured to send a wire

One thing is certain. BEC/EAC will continue to take different shapes, as scammers become more sophisticated. Businesses with an increased awareness and understanding of the scam are more likely to recognize when they have been targeted by fraudsters and to avoid falling victim by sending them payments. Businesses that deploy robust internal prevention techniques at all levels – especially for front line employees who may be the recipients of initial phishing attempts – have proven highly successful in recognizing and deflecting BEC/EAC attempts.

See the full IC3 2018 Internet Crime Report here.