Business Email Compromise is one of the fastest growing scams, with the FBI citing that global losses had exceed $12.5 billion as of July 2018, with over 41,000 victims in the United States.
Business Email Compromise is carried out when a subject compromises legitimate business email accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds. New variations involve attempts to steal personally identifiable information or employees’ wage and tax statement forms.
The latest iteration of the Business Email Compromise scam is targeting the real estate sector, including title companies, law firms, real estate agents, buyers, and sellers. Often, a “spoofed” email will be sent or received on behalf of one of the real estate transaction participants with instructions directing the email recipient to change the payment beneficiary information, usually via a wire transfer. Once the wire transfer is sent, the funds are quickly depleted through multiple means, making recovery very difficult. The FBI reports that from 2015 to 2017, there was an 1,100% increase in reports of these crimes involving a real estate angle.
All businesses may become victims of a Business Email Compromise. There are steps you can take to protect yourself.
- If you receive an email requesting account information or a wire transfer, even if it appears to be an internal or trusted email, speak to the email sender over the phone (using a known number, not the phone number in the email) or in person to verbally confirm the request, before replying or clicking on any attachments.
- When confirming the request, confirm the payment instructions as well as the legitimacy of the request. Verify all information is correct before taking any action.
- If the request is not legitimate, contact your IT department or an IT professional and be prepared to change passwords and login information. Request a full scan of your computer systems to search for any spyware or malware on your system.
- File a complaint on the FBI’s Internet Crime Complaint Center, ic3.gov
- Create intrusion detection systems that flag the following:
- Email extensions that are similar to your company’s email. (e.g., legitimate email extension of @abc-company.com would flag fraudulent email extension of @abc_company.com).
- Communications where the “Reply to” email address is different from the “from” email address shown.
- Carefully scrutinize all email requests for transfer of funds to determine if the requests are out of the ordinary.
Alerts & Notifications
The FBI has released various public service announcements to provide new information and statistical data related to business email compromise scams. The updated PSAs detail new data theft scenarios employed by fraudsters that target departments responsible for maintaining tax and personally identifiable information, such as human resources, bookkeeping or audit.
The PSA provides an overview of the complaints submitted to the FBI’s Internet Crime Complaint Center, provides tips for mitigating the risk of BEC and outlines steps businesses can take if they fall victim to this type of scam.
Listing of additional Alerts & Notifications published:
- FS-ISAC Fraud Alert: Business Email Compromise
- The fraudulent wire payments sent to foreign banks may be transferred several times but are quickly disbursed. Asian banks, located in China and Hong Kong, are the commonly reported ending destination for these fraudulent transfers. BEC is a global scam with subjects and victims in many countries. The FBI has received related complaints from every U.S. state.