The FBI recently announced that the amount of money lost to business email compromise (BEC) scams is increasing each year, with a 65 per cent rise in identified global exposure losses between July 2019 and December 2021.
From June 2016 to July 2019, IC3 received victim complaints about 241,206 domestic and international occurrences, totalling $43,312,749,946 in exposed cash loss.
The FBI stated, "Based on the financial data reported to the IC3 for 2021, banks located in Thailand and Hong Kong were the primary international destinations of fraudulent funds. China, which ranked in the top two destinations in previous years, ranked third in 2021 followed by Mexico and Singapore."
This was revealed in a new public service announcement issued on the Internet Crime Complaint Center (IC3) site as an update to a prior PSA dated September 2019, in which the FBI stated victims reported losses to BEC attacks totalling more than $26 billion between June 2016 and July 2019.
About BEC scams:
BEC scams were the cybercrime type with the highest recorded overall victim losses last year, according to the IC3 2021 Internet Crime Report [PDF]. Based on 19,954 registered complaints relating to BEC attacks against individuals and businesses in 2021, victims reported losses of about $2.4 billion.
BEC scammers use a variety of techniques to infiltrate business email accounts, including social engineering, phishing, and hacking, to transfer payments to attacker-controlled bank accounts.
Small, medium and big enterprises are frequently targeted in this form of scam (also known as EAC or Email Account Compromise). Nonetheless, if the payout is high enough, they will attack individuals.
Given that they often imitate someone who has the target's trust, their success rate is also very high.
However, "the scam is not always associated with a transfer-of-funds request," as the FBI explained in the PSA alert.
"One variation involves compromising legitimate business email accounts and requesting employees' Personally Identifiable Information, Wage and Tax Statement (W-2) forms, or even cryptocurrency wallets."
The FBI also offered advice on how to protect yourself from BEC scams:
- Use secondary channels or two-factor authentication to verify requests for changes in account information.
- Ensure the URL in emails is associated with the business/individual it claims to be from.
- Be alert to hyperlinks that may contain misspellings of the actual domain name.
- Refrain from supplying log-in credentials or PII of any sort via email. Be aware that many emails requesting your personal information may appear to be legitimate.
- Verify the email address used to send emails, especially when using a mobile or handheld device, by ensuring the sender's address appears to match who it is coming from.
- Ensure the settings in employees' computers are enabled to allow full email extensions to be viewed.
- Monitor your personal financial accounts on a regular basis for irregularities, such as missing deposits.