Losses from Business Email Scams Reach a Whopping $3 Billion

The FBI's Internet Crime Complaint Center (IC3) has said in a public statement announcement (PSA) about the increase of Business Email Compromise (BEC) scams that companies around the world have lost over $3 billion to this type of fraud, with over $960 million lost just in US companies alone.

The latest IC3 PSA comes just ten months after a previous alert on BEC scams issued in August 2015, when the FBI claimed that businesses lost over $1.2 billion.

The damage from BEC scams more than doubled in the last year, and a possible reason may be the fact that there have been some high-profile cases that have shown criminals they can steal more than a few thousand dollars.

BEC scams made many high-profile victims

For example, FACC, an airplane parts manufacturer from Austria, lost €52.8 million ($56.79 million) in a BEC scam this past January. The company fired its CEO at the start of June, citing his inability to detect the fraud.

A few days after the FACC incident, Belgian Bank Crelan announced it lost €70 million ($75.8 million) in a similar scam.

At the end of March, toy maker Mattel also revealed that one of its exec was fooled into sending $3 million to some off-shore crooks. Fortunately, the company was able to recover its money thanks to a public holiday in China that delayed the criminals' operations.

BEC scams grew 1,300% in the past 16 months

The $3 billion mark includes data from October 2013 to May 2016, but the FBI says that, since January 2015, its IC3 center has seen a 1,300 percent rise in BEC complaints.

The agency recorded at least a victim in each US state, along with victims from another 100 countries. The FBI says stolen money was sent to 79 different countries, but most went to China and Hong Kong.

Most of the victims stated that many fraudulent transactions occurred via wire transfers, but crooks also used checks whenever they could.

BEC scammers add new tricks

Some of the tactics scammers use include hacking into the email accounts of a company's high-ranking execs, and then requesting an urgent payment with the CEO or CFO.

Additionally, the CFO or CEO email accounts can be hacked as well, and in this scenario, the scammers, posing as the high-ranking execs, request their financial departments to wire money using an official order.

Scammers don't necessarily have to hack a company's email accounts, and the FBI says it has seen cases where suppliers are hacked, and they then request urgent payments, but to the scammers' bank accounts.

Furthermore, scammers who can't hack an email account usually register look-alike domains and rely on social engineering and the carelessness of a company's financial department employees.

Since last August, the FBI also says it has detected a new scam tactic in which crooks don't require payment, but ask HR departments for W-2 employment forms. These forms contain a lot of sensitive information that scammers can use for fraudulent tax returns, or even sell the stolen data on the Dark Web.

BEC scammers target companies without private email servers

A characteristic of BEC scams that the FBI noticed is that scammers regularly target enterprises that employ free email domains instead of private email servers.

Companies that use Yahoo, Gmail, or Hotmail are more targeted than those that use custom domains like [email protected].

Additionally, the FBI also warns against employees who are allowed to use personal email addresses for work-related activities.

"Businesses that deploy robust internal prevention techniques at all levels (especially targeting front line employees who may be the recipients of initial phishing attempts), have proven highly successful in recognizing and deflecting BEC attempts," the FBI notes. Below is a breakdown of the IC3's latest statistics: