14 DAY TRIAL // This past week, the FBI issued a public statement announcement (PSA) regarding the increasing threat of business email campaigns (BEC) and email account compromises (EAC).
As the FBI revealed, from October 2013 to August 2015, companies across all 50 US states and from 79 countries reported losses of $1.2 billion / €1.07 billion.
These types of campaigns have seen an increase, the FBI noticing a growth of 270% compared to January 2015.
| Total US victims: | 7,066 |
| Total US exposed dollar loss: | $747,659,840.63 |
| Total non-US victims: | 1,113 |
| Total non-US exposed dollar loss: | $51,238,118.62 |
| Combined victims: | 8,179 |
| Combined exposed dollar loss: | $798,897,959.25 |
| Estimated losses (including data from international law enforcement agencies) | ~$1.2 billion |
The FBI blames phishing campaigns and poor security measures for most of these BECs.
Back in January, the FBI presented the three most common BEC.
The first one is “The Bogus Invoice Scheme,” also known as the “The Supplier Swindle,” or the “Invoice Modification Scheme.” In this scenario, a scammer, after compromising the email account of a company, or acting via phone or fax alone, asks one of the compromised company's partners to send a payment for one of their current standing invoices to a third party controlled by the fraudsters.
The second scheme is the “CEO Fraud,” also known as the “Business Executive Scam,” “Masquerading,” and “Financial Industry Wire Fraud.” This relies on attackers compromising the email account of a company executive, which is then used to send emails to employees in the company's accounting department and instructing them to transfer funds to the scammer's accounts.
The third scheme relies on compromising the personal email account of a company employee, which is then used to send official emails to business partners, asking for money transfers, in the hope they don't recognize the scammer is using their personal email instead of their business address.
All these three scamming schemes have continued to be used by fraudsters, but the FBI is also seeing a new one being used, brought to their attention by victim complaints.
In this one, fraudsters contact victims via telephone, posing as lawyers or legal representatives, claiming to be handling time-pressing matters involving company employees or business partners, and requiring urgent payments.
The FBI is urging companies to protect themselves
The purpose of this PSA is to make companies understand the dangers they are exposing themselves to.
The FBI recommends a series of security and protection measures be put in place. For this, it urges companies to create electronic intrusion detection systems that flag any email address that resembles the company's own.
Additionally, companies should also register all domains similar to the ones they use, using two-factor authentication for any type of payment, and also use internal phone numbers to verify requests, not the ones provided inside the emails that require the payment.