The Business Email Compromise (BEC) fraud is the #1 fraud attacking business in the United States and worldwide. The FBI advises this fraud increases each year and now exceeds $1billion annually.
1. Identifies a target
2. Grooms the target through unsuspecting emails.
3. The victim exchanges banking information.
4. The fraudster transfers funds from the victim to a foreign account.
Since 2013, when the FBI began tracking an emerging financial cyber threat called business e-mail compromise (BEC), organized crime groups have targeted large and small companies and organizations in every U.S. state and more than 100 countries around the world—from non-profits and well-known corporations to churches and school systems. Losses are in the billions of dollars and climbing.
At its heart, BEC relies on the oldest trick in the con artist’s handbook: deception. But the level of sophistication in this multifaceted global fraud is unprecedented, according to law enforcement officials, and professional businesspeople continue to fall victim to the scheme.
Carried out by transnational criminal organizations that employ lawyers, linguists, hackers, and social engineers, BEC can take a variety of forms. But in just about every case, the scammers target employees with access to company finances and trick them into making wire transfers to bank accounts thought to belong to trusted partners—except the money ends up in accounts controlled by the criminals.
“BEC is a serious threat on a global scale,” said Special Agent Martin Licciardo, a veteran organized crime investigator at the FBI’s Washington Field Office. “And the criminal organizations that perpetrate these frauds are continually honing their techniques to exploit unsuspecting victims.”
Those techniques include online ploys such as spear-phishing, social engineering, identity theft, e-mail spoofing, and the use of malware. The perpetrators are so practiced at their craft that the deception is often difficult to uncover until it is too late.
According to the FBI’s Internet Crime Complaint Center (IC3), “the BEC scam continues to grow, evolve, and target businesses of all sizes. Since January 2015, there has been a 1,300 percent increase in identified exposed losses, now totaling over $3 billion.”
Although the perpetrators of BEC—also known as CEO impersonation—use a variety of tactics to fool their victims, a common scheme involves the criminal group gaining access to a company’s network through a spear-phishing attack and the use of malware. Undetected, they may spend weeks or months studying the organization’s vendors, billing systems, and the CEO’s style of e-mail communication and even his or her travel schedule.
When the time is right, often when the CEO is away from the office, the scammers send a bogus e-mail from the CEO to a targeted employee in the finance office—a bookkeeper, accountant, controller, or chief financial officer. A request is made for an immediate wire transfer, usually to a trusted vendor. The targeted employee believes he is sending money to a familiar account, just as he has done in the past. But the account numbers are slightly different, and the transfer of what might be tens or hundreds of thousands of dollars ends up in a different account controlled by the criminal group.
If the fraud is not discovered in time, the money is hard to recover, thanks to the criminal group’s use of laundering techniques and “money mules” worldwide that drain the funds into other accounts that are difficult to trace.
“The ability of these criminal groups to compromise legitimate business e-mail accounts is staggering,” Licciardo said. “They are experts at deception. The FBI takes the BEC threat very seriously,” he added, “and we are working with our international partners to identify these perpetrators and dismantle their organizations.”
“The best way to avoid being exploited is to verify the authenticity of requests to send money by walking into the CEO’s office or speaking to him or her directly on the phone. Don’t rely on e-mail alone.”
Martin Licciardo, special agent, FBI Washington Field Office