BEC Scams

The Federal Bureau of Investigation (FBI), Internet Crime Report says Business Email Compromise (BEC) attacks caused domestic and international losses of over $43 billion.

FBI’s Internet Crime Complaint Center (IC3) mentions that “In the year 2021, received 19,954 Business Email Compromise (BEC)/ Email Account Compromise (EAC) complaints with adjusted losses at nearly $2.4 billion.”

Business Email Compromise (BEC) Scam

BEC is a complicated scam targeting both businesses and individuals performing transfers of funds. It is carried out when a subject compromises legitimate business email accounts through social engineering or computer intrusion techniques to carry out unauthorized transfers of funds.

The technique has evolved from simple hacking or spoofing of business and personal email accounts and a request to send wire payments to fraudulent bank accounts.

According to the FBI report, “At present fraudsters are using virtual meeting platforms to hack emails and spoof business leaders’ credentials to initiate the fraudulent wire transfers”.

These fraudulent wire transfers are instantly transferred to cryptocurrency wallets and quickly dispersed, making recovery efforts more difficult.

IC3 Recovery Asset Team

The Internet Crime Complaint Center’s Recovery Asset Team (RAT) was established to streamline communication with financial institutions and help FBI field offices with the freezing of funds.

RAT Process

RAT Functions

Reported BEC/EAC Scams of the Year 2021

Victims Loss

BEC and Cryptocurrency

The IC3 tracked two iterations of the BEC scam where cryptocurrency was used by criminals. A direct transfer to a cryptocurrency exchange (CE) or a “second hop” transfer to a CE. In both conditions, the victim is unconscious that the funds are being sent to be converted to cryptocurrency.

Suggestions for Protection

  • Use secondary channels or two-factor authentication to verify requests for changes in account information.
  • Make sure the URL in emails is associated with the business/individual it claims to be from.
  • Be alert to hyperlinks that may contain misspellings of the actual domain name.
  • Refrain from supplying log-in credentials or PII of any sort via email. Be aware that many emails requesting your personal information may appear to be legitimate.
  • Verify the email address used to send emails, especially when using a mobile or handheld device, by ensuring the sender’s address appears to match who it is coming from.
  • Ensure the settings in employees’ computers are enabled to allow full email extensions to be viewed.
  • Monitor your personal financial accounts on a regular basis for irregularities, such as missing deposits.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.