The FBI’s Internet Crime Complaint Center (IC3) this week said the scourge it calls the Business Email Compromise continues to rack-up victims and money – over $3 billion in losses so far.
+More on Network World: FBI/FTC: Watch those e-mails from your “CEO”+
The BEC scam is typically carried out by compromising legitimate business e-mail accounts through social engineering or computer intrusion to conduct unauthorized transfers of funds, the IC3 stated.
The impact of the scam is detailed in the IC3 stats released this week including:
- Since January 2015, there has been a 1,300% increase in identified losses.
- Domestic and international victims: 14,302 in US; 22,143 worldwide
- Combined dollar loss: $960,708,616 in US; $3,086,250,090 worldwide.
- Victims continue to deal in a wide variety of goods and services, indicating a specific sector does not seem to be targeted.
The IC3 said that the latest variant of the scam goes like this: “Fraudulent requests are sent utilizing a business executive’s compromised e-mail. The entity in the business organization responsible for W-2s or maintaining PII, such as the human resources department, bookkeeping, or auditing section, have frequently been identified as the targeted recipient of the fraudulent request for W-2 and/or PII. Some of these incidents are isolated and some occur prior to a fraudulent wire transfer request. Victims report they have fallen for this new BEC scenario, even if they were able to successfully identify and avoid the traditional BEC incident. The data theft scenario of the BEC first appeared just prior to the 2016 tax season.”
The IC3 reported typical characteristics of BEC complaints include:
- Businesses and associated personnel using open source e-mail accounts are predominantly targeted.
- Individuals responsible for handling wire transfers within a specific business are targeted.
- Spoofed e-mails very closely mimic a legitimate e-mail request.
- Hacked e-mails often occur with a personal e-mail account.
- Fraudulent e-mail requests for a wire transfer are well worded, specific to the business being victimized, and do not raise suspicions to the legitimacy of the request.
- The phrases “code to admin expenses” or “urgent wire transfer” were reported by victims in some of the fraudulent e-mail requests.
- The amount of the fraudulent wire transfer request is business-specific; therefore, dollar amounts requested are similar to normal business transaction amounts so as to not raise doubt.
- Fraudulent e-mails received have coincided with business travel dates for executives whose e-mails were spoofed.
- Victims report that IP addresses frequently trace back to free domain registrars.
Check out these other hot stories: