Scammers were able to steal $1.2 billion from businesses worldwide over the past two years using a phishing scam, the FBI revealed. In America, around 7,000 businesses were the victims of the Business Email Compromise (BEC) scam.
This particular phishing scam targets companies that regularly conduct wire transfer payments overseas. The scammers either break into the accounts of C-level executives, or pretend to be them. The scammers first send their targeted executives a phishing email that contains a malicious link. The executive clicks on the link and inadvertently downloads malware that allows the scammers to steal the victim’s data. The scammer might also pretend to be a company CEO and ask for a wire transfer from an employee. They can send a request for a wire transfer through a spoofed email address that looks authentic, but when the employee hits “reply,” the email address is shown to be from an outside user. If the employee doesn’t notice, they’ll likely comply with the request to wire over money. The scammers try to send frantic emails requesting money right as the work day is ending, so people are more likely to transfer funds over. The FBI discovered that the fraudulent transfers went to 72 different countries, but most of them went to banks based in Hong Kong and China. In some cases, the wire transfers were directed to money mules inside the country.
The criminals who use the BEC scam are sophisticated social engineers, so it is harder for regular spam filters to detect them. The scammers scrape employee information from their target company’s website and scan emails for keywords like “invoice” and “deposit,” which can indicate that the employee has conducted a wire transfer for the company before. The scammers don’t send out mass emails so they’re able to bypass spam filters. Unlike malware, which is usually detected by firewalls and antivirus software, the BEC scam can go unnoticed until money has been lost.
American businesses from all 50 states have reported $748 million in actual and attempted losses. Another 1,113 companies from around the world reported $51 million in losses. The FBI found that 1,119 companies were targeted by the BEC scam from October 1, 2013 to December 1, 2014. The companies that fell victim to the scam lost $179 million in that time frame. The FBI’s latest research shows that BEC scam victims have increased by 270% in the past year. The scam was reported in 79 different countries.
Because employees are tricked into transferring money over, cyber insurance companies typically don’t cover BEC scams, which makes them even more dangerous for companies to fall victim to. The FBI advises that companies implement a detection system that goes beyond a basic spam filter. Companies should set up an email rule that flags messages coming from illegitimate email extensions that look authentic. This extra precaution can keep BEC scams out of inboxes, since spam filters are mainly looking for mass emailed messages. It is also important to know the habits of customers when it comes to payments and amounts. If a request for a wire transfer comes in at the middle of the month, when it usually comes in at the end, the request should be flagged until it is verified. It is important for employees to exercise caution and verify requests for transactions before fulfilling them. Some banks even hold requests for international wire transfers until they are verified.
It is important for C-level executives and employees to know how to recognize and avoid the BEC scam. Beyond that, companies should have a cyber security solution in place to detect unauthorized malware that’s been accidentally downloaded through phishing emails. With EiQ SOCVue, companies will know that the expert EiQ SOC Team is constantly monitoring their networks for malware. EiQ’s Daily Security Snapshot emails give companies insight into security incidents, and allow for a current assessment of security controls. EiQ allows companies to keep their data and finances secure from phishing scams.
Is Your Organization Ready to Battle Cyber Attacks?
Find out with EiQ’s free, 10-question cyber security readiness assessment! Sign up now to see how prepared you are to identify threats and vulnerabilities, mitigate risks, and enable compliance.