An in-depth investigative study by Better Business Bureau (BBB) finds that business email compromise scams are skyrocketing in frequency and have cost businesses and other organizations more than $3 billion since 2016.
Business email compromise fraud is an email phishing scam that typically targets employees who pay bills in businesses, government, and nonprofit organizations. It affects both big and small organizations, and it has resulted in more losses than any other type of fraud in the U.S., according to the Federal Bureau of Investigations (FBI).
The investigative study – “Is That Email Really From ‘The Boss?’ The Explosion of Business Email Compromise Scams (BEC)” – looks at the prevalence of BEC scams and the criminal systems that perpetrate them. It digs into the scope of the problem, who is behind it, the multi-pronged fight to stop it, and the steps that can be taken to avoid it.
BEC fraud takes many forms. The scammer poses as a reliable source who sends an email from a spoofed or hacked account to an accountant or chief financial officer (CFO) asking them to wire money, buy gift cards or send personal information. If payment is sent, then money goes into an account controlled by the con artist.
The FBI recognizes at least six types of activity as BEC or email account compromise (EAC) fraud. BEC and EAC differ based on who appears to be the email sender – a chief executive officer (CEO) asking the CFO to wire money to someone, a vendor or supplier requesting a change in invoice payment, executives requesting copies of employee tax information, senior employees seeking to have their pay deposited into a new bank account, or an employer or clergyman asking the recipient to buy gift cards on their behalf. It can even a realtor or title company redirecting proceeds from a real estate sale into a new account. These targeted email phishing scams are sometimes called “spear phishing.”
This serious and growing fraud has tripled over the last three years, jumping 50% in the first three months of 2018 compared to the same period in 2017. In 2018, 80% of businesses received at least one of these emails. From 2016 through May 2019, the Internet Crime Complaint Center (IC3) received 58,571 complaints on BEC fraud, with reported losses in the U.S. totaling $3.1 billion. BBB’s report finds that the average BEC loss involving wire transfers is $35,000, while the average loss involving gift cards is $1,000 to $2,000. However, the cost to businesses can be much higher: Google and Facebook lost more than $100 million to BEC fraud before the perpetrator was arrested in 2017.
In August, The Virginia State Police (VSP) was able to recover just over half of the $600,000 from Spotsylvania County that was stolen by a BEC scheme. District officials were victimized by a fake invoice that was sent to the school district requesting payment for a new turf field installed at Courtland High School. Partial payment was sent for the $1.2-million-job but never delivered to the company that performed the work. VSP and multiple law enforcement agencies worked together to track down deposits in multiple banks, resulting in the return of $347,000 to the district later that month. The investigation is ongoing; currently, no arrests have been made.
According to BBB’s report, the majority of defendants who have been arrested or charged for BEC fraud in the U.S. over the last three years are of Nigerian origin. The report says 90% of BEC groups operate out of Nigeria, with other Nigerian fraud groups operating from the U.S., Canada and many other countries around the world.
In breaking down the anatomy of a BEC scam, the report notes that fraud gangs need the names of people within an organization, their job function and their email username and password, often obtained with illicit open source tools or free trials or lead generation services; that they must send emails directly to people, impersonating a trusted superior or partner and seeking money, which they can accomplish with a fake email address or domain name or by hacking a real person’s email account; and that they need a way to obtain money sent by victims, often via money mules, as detailed in a February 2019 BBB study about romance scam victims who become money mules.
Local accredited and non-accredited businesses in Western Virginia have been subject to these BEC schemes. Julie Wheeler, the President and CEO of the Better Business Bureau Serving Western Virginia, stresses the importance of local businesses prioritizing cybersecurity and not becoming a target due to lack of vigilance. Effective spam filtering and employee security awareness training can identify the majority of phishing attempts.
Branch and Associates, based in Roanoke, Virginia, discovered the importance of cybersecurity after a client fell victim to a spear-phishing scheme. Cabarrus County hired The Branch Group as a contractor for the construction of West Cabarrus High, a new school for the district. Phishing email with a similar email address of a Branch worker was sent to a county employee claiming that Branch and Associates had changed their bank account details, and requested that future payments on the school construction project to be sent to the new bank account, resulting in a costly 1.7 million dollar loss.
Active efforts are being made to fight BEC fraud. On August 22, 2019, 80 defendants, believed to be responsible for at least $6 million in losses, were indicted in Los Angeles for BEC fraud in a significant effort led by the FBI. On September 10, 2019, a worldwide law enforcement effort yielded 74 arrests for BEC-related fraud in the U.S., 167 in Nigeria and 40 in several other countries, with nearly $3.7 million in assets seized from the fraudsters. The U.S. Justice Department has brought at least 22 cases in the last three years, many as part of a collective enforcement effort dubbed “Operation Wire Wire,” named for BEC fraud’s common name among Nigerian fraudsters.
The report concludes:
• Businesses and other organizations should take technical precautions such as multifactor authentication for email logins and other changes in email settings, along with verifying changes in information about customers, employees, or vendors. The report also urges culture and training changes in organizations – namely, confirming requests by phone before acting and training all employees in internet security.
• There is a strong need for more international cooperation between law enforcement agencies.
• Email system providers should consider enabling additional features to help prevent BEC fraud, including default settings with more security.
• Law enforcement should recognize that BEC fraud gangs engage in many varieties of fraud at the same time and focus on the key actors in the scams, not just supporting actors such as money mules.
What to do if your organization has lost money to a BEC fraud:
• If an organization finds that it has been a victim of a BEC fraud, they need to immediately call their bank to stop the payment, freeze the account, and report it to the FBI in the U.S. or the Canadian Anti-Fraud Centre in Canada. If a report is filed within 48 hours, there is a chance the money can be recovered.
• Complain to the FBI’s Internet Crime Complaint Center or visit www.ic3.gov. IC3 also asks people to report unsuccessful BEC attempts as well. Information from efforts may help establish patterns or identify mule bank accounts.
• Complain to the Canadian Anti-Fraud Centre: 1-888-495-8501.
• Report fraud to BBB Scam Tracker.
• View the Study or visit BBB.ORG/BECSCAMS
For more advice on fighting employment scams, please visit www.bbb.org or contact the BBB Serving Western VA at (540) 342-3455 or (800) 533-5501.
