July 17, 2019

FinCEN: Business email scams stole $300M a month in 2018

moneyThe Financial Crimes Enforcement Network (FinCEN) highlighted new efforts to combat business email compromise (BEC) scams – one of the most prevalent types of cyberfraud – at a FinCEN Exchange forum Tuesday. Suspicious activity reports (SARs) indicate that BEC scams led to more than $300 million stolen a month in 2018, more than three times what was reported in 2016.

BEC scams are used to gain access to a business email account and imitate the owner's identity in an effort to defraud a company. Tuesday's forum focused on identifying and combatting BEC money laundering and terrorist financing schemes.

In conjunction with the forum, FinCEN released a trend analysis of Bank Secrecy Act (BSA) data exploring the industries targeted and methodologies used by BEC scammers. Among the key findings:

  • the number of SARs related to BEC incidents reported monthly has more than doubled from an average of about 500 per month in 2016 to more than 1,100 per month in 2018;
  • the most common BEC method is using fraudulent vendor or client invoices, which increased from 30 percent of sampled incidents in 2017 to 39 percent in 2018;
  • the impersonation of a CEO or other high-ranking executive fell from 33 percent in 2017 to 12 percent in 2018; and
  • manufacturing and construction businesses were the top targets for BEC fraud in 2017 and 2018.

FinCEN also issued an update to its "Advisory to Financial Institutions on E-mail Compromise Fraud Schemes." The advisory provides updates to operational definitions, information on the targeting of non-business entities and data by email compromise schemes, highlights general trends in BEC schemes and alerts financial institutions to risks as scammers target vulnerable business processes.

The updated advisory also notes ways for financial institutions to share information about these schemes. NAFCU recently shared with the agency ways to improve information sharing between government agencies, law enforcement and financial institutions to better combat BSA-related issues.

NAFCU has cybersecurity compliance resources available online; a webinar available on-demand also details how to identify cybersecurity risks and vulnerabilities.