Losses due to Business Email Compromise (BEC) grew by almost 90% in 2017, says FBI
The 2017 Internet Crime Report, released by the FBI (see the link below), indicates that Business Email Compromise (BEC) scams remain a main threat to companies, with reported losses of over U$ 675 million. It is a striking increase of almost 90% when compared to the losses reported in 2016, which amounted to U$360 million. The data, based on voluntary reporting to the agency, also shows that the number of complaints has increased by a lower rate of 30%, from 12,005 in 2016 to 15,690 in 2017, which leads to a higher average loss per complaint.
Business Email Compromise is a sophisticated type of phishing attack that is one of the main challenges to email security, since it is mostly undetected by anti-spam filters. One or more fraudsters compromise business email accounts to then try to conduct wire transfers or get sensitive data, targeting small, medium and large businesses worldwide.
One common scenario is when the criminals pretend to be a longstanding supplier requesting a wire transfer for an invoice payment, spoofing the email so it looks legitimate. Another scenario, also known as the CEO Fraud, is when a C-level executive has its email account compromised, either spoofed or hacked.
The fraudster then poses as the executive and sends to an employee what seems to be a legitimate request for a wire transfer. The targeted employee is usually the one responsible for dealing with those requests, which makes the scam even more credible. Cybercriminals may also use this technique to acquire sensitive data.
Table of Contents
Another threat that shows up on the report is ransomware, though with numbers that seem oddly low considering 2017 was the year of the Wannacry attack, which alone infected more than 200,000 computers and has caused losses estimated in hundreds of millions. The FBI has received 1,783 complaints with the total of losses amounting to over U$ 2.3 million — yep, it is significant, but still smells like under-reporting.
This discrepancy in numbers may be due to the fact that the report is based on voluntary complaints, and companies who paid the average US$ 300 to US$ 600 ransom may not have even bothered to report the crime.
Plus, according to the European Union Agency for Law Enforcement Cooperation, most of the computers infected by Wannacry were outside the U.S., which possibly limits the range of companies reporting the crime to the American agency.
Tech Support Fraud
It is a common, widespread scam in which fraudsters offer customer or technical support in order to gain access to company’s and individual’s devices. The news here is that, in addition to using the known tactics of phone calls, popups and internet ads, cybercriminals are now sending phishing emails with malicious links or fraudulent account charges to their victims.
The FBI reports it has received 10,949 complaints related to tech support fraud, with losses amounted to nearly US$ 15 million, a 90% increase in losses from 2016.
Here are few basic tips that can help you stay safe amidst the rise in internet and email threats:
Make sure you deploy basic cybersecurity tools, such as anti-virus and anti-spam, and keep them updated.
Always check the spelling of URLs and email addresses. Sometimes one letter is the only difference between a real address and a fake one.
Don’t hit the “Reply” button when receiving an email that requests data or bank transfers. Hit “Forward” or create a new email so you can make sure you’re sending the message to the correct email address.
Beware of emails requesting you to fill out forms or to take immediate, urgent actions.
Train your team to be more aware of internet threats and how to recognize them.
If you get infected by a ransomware, do not pay the ransom. Get specialized help ASAP.
BEC scams easily bypass anti-spam filters. To avoid this type of highly targeted phishing attack, consider deploying a Secure Email Gateway system with advanced tools to detect spoofed, fraudulent emails.