BEC – A Billion-Dollar Scam
A Federal Bureau of Investigation (FBI) public service announcement alert indicates $26 billion has been lost from business email compromise (BEC) schemes between June 2016 and July 2019. This total is from actual victim complaints reported to the FBI’s Internet Crime Complaint Center (IC3).
BEC is a cyber-criminal scheme targeting businesses that make legitimate transfer-of-fund or wire transfer requests. Someone will compromise these accounts through social engineering or computer invasion and conduct unauthorized transfers of funds. BEC attackers often target those in a business responsible for sending payments, using spoof accounts to impersonate the company C-suite or a supplier and requesting money transfers. Still another variation involves asking for employees’ personally identifiable information or Wage and Tax Statement (W-2) forms. Recently, an increasing number of BEC complaints submitted to IC3 also concern the diversion of payroll funds. A company’s human resources or payroll department receives spoofed emails appearing to be from employees requesting a change to their direct deposit account. This new direct deposit information generally leads to a pre-paid card account. BEC scams can also involve fraudulent requests for checks.
According to the FBI, this type of fraud continues to grow and evolve by targeting small, medium and large business transactions. Statistical data indicates a 100 percent increase in identified global exposed losses between May 2018 and July 2019. The scam has been reported in all 50 states and 177 countries.
A Financial Crimes Enforcement Network (FinCEN) report, Financial Trend Analysis, indicates the manufacturing and construction industries to be the top targets for BEC. The number of suspicious activity reports (SARs) describing BEC incidents has risen rapidly from an average of nearly 500 per month in 2016, to above 1,100 per month in 2018.
Shortly after the FBI issued its alert, the U.S. Department of Justice (DOJ) announced the arrest of 281 individuals in “Operation reWired,” a coordinated domestic and international law enforcement effort. The four-month operation resulted in the arrest of 74 people in the United States and 207 others overseas. It also resulted in the seizure of nearly $3.7 million.
According to DOJ, foreign citizens perpetrate many of the BEC scams. They often belong to transnational criminal organizations, many originating in Nigeria but have since spread globally. These fraudsters are getting more sophisticated and often are backed by complex networks of both witting and unwitting money mules that assist in laundering their illicit proceeds through the U.S. and international financial systems.
In a speech delivered at the Federal Identity (FedID) Forum and Exposition, FinCEN Director Kenneth A. Blanco gave the following advice to financial institutions: “A financial institution, or any other entity targeted with similar types of fraud, should consider its entire attack surface and risk exposure to such illicit activity and misuse. Unfortunately, the threat portion of the risk equation is too often overlooked. Aside from just examining their processes and system vulnerabilities that could be exploited, it can be extremely valuable for financial institutions to evaluate the threat posture already affecting them or that has the potential to affect them, such as the availability of customer credential information available for sale on places like darknet marketplaces.”
Here are some additional resources on BEC fraud:
NCUA 19-RISK-01 - Business Email Compromise Fraud
NAFCU Cybersecurity Compliance
***
Last week to get 40 percent off risk management training.
Access four on-demand webinars that cover internal fraud, CECL, business continuity and strategic technology planning for 40 percent off with our new Risk Management Webinar Package. Available for purchase until Friday!
