Business Email Compromise continues to be one of the worst scams, with the FBI citing nearly 20,000 complaints with almost $2.5 billion in company losses in 2021 in the U.S.
Business Email Compromise is carried out when a subject compromises legitimate business email accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds. New variations involve attempts to steal personally identifiable information or employees’ wage and tax statement forms.
The latest iteration of the Business Email Compromise scam is targeting the real estate sector, including title companies, law firms, real estate agents, buyers, and sellers. Often, a “spoofed” email will be sent or received on behalf of one of the real estate transaction participants with instructions directing the email recipient to change the payment beneficiary information, usually via a wire transfer. Once the wire transfer is sent, the funds are quickly depleted through multiple means, making recovery very difficult.
All businesses may become victims of a Business Email Compromise. There are steps you can take to protect yourself.
- If you receive an email requesting account information or a wire transfer, even if it appears to be an internal or trusted email, speak to the email sender and/or the intended beneficiary over the phone (using a known number, not the phone number in the email) or in person/via video to verbally confirm the request, before replying or clicking on any attachments.
- When confirming the request, confirm the payment instructions as well as the legitimacy of the request. Verify all information is correct before taking any action.
- If the request is not legitimate, contact your IT department or an IT professional and be prepared to change passwords and login information. Request a full scan of your computer systems to search for any spyware or malware on your system.
- File a complaint on the FBI’s Internet Crime Complaint Center, ic3.gov
- Create intrusion detection systems that flag the following:
- Email extensions that are similar to your company’s email. (e.g., legitimate email extension of @abc-company.com would flag fraudulent email extension of @abc_company.com).
- Communications where the “Reply to” email address is different from the “from” email address shown.
- Carefully scrutinize all email requests for transfer of funds to determine if the requests are out of the ordinary.
Alerts & Notifications
The FBI has released various public service announcements to provide new information and statistical data related to business email compromise scams. The updated PSAs detail new data theft scenarios employed by fraudsters that target departments responsible for maintaining tax and personally identifiable information, such as human resources, bookkeeping or audit.
The PSA provides an overview of the complaints submitted to the FBI’s Internet Crime Complaint Center, provides tips for mitigating the risk of BEC and outlines steps businesses can take if they fall victim to this type of scam.
Listing of additional Alerts & Notifications published:
- FS-ISAC Fraud Alert: Business Email Compromise
- The fraudulent wire payments sent to foreign banks may be transferred several times but are quickly disbursed. Asian banks, located in China and Hong Kong, are the commonly reported ending destination for these fraudulent transfers. BEC is a global scam with subjects and victims in many countries. The FBI has received related complaints from every U.S. state.