BEC Scams Cost U.S. Companies $300 Million Per Month: StudyTreasury Department Says an Average of 1,100 Businesses Scammed Each Month
Business email compromise scams are surging, and they’re costing U.S. companies a total of more than $300 million a month, according to a recently released analysis by the U.S. Treasury Department. Manufacturing and construction firms are the hardest hit by this type of fraud, the study notes.
The analysis, which the Treasury Department's Financial Crimes Enforcement Network released this week, found that the number of reported business email compromise scams increased to 1,100 per month in 2018, up from 500 incidents each month in 2016.
The increasing number of BEC incidents also means that more money is flowing into the coffers of scammers. The Treasury Department report notes that BEC scams cost businesses an average total of $301 million in fraud per month in 2018, up from $110 million in 2016.
The overall financial impact of BEC scams, as described in the Treasury Department report, is much higher than earlier estimates from the FBI.
In its annual Internet Crime Report released in April, the FBI reported that losses from business email compromise scams nearly doubled worldwide between 2017 and 2018, reaching $1.2 billion last year in the U.S. (see: FBI: Global Business Email Compromise Losses Hit $12.5 Billion). By comparison, the Treasury Department monthly estimate would add up to an annual total of $3.6 billion in U.S. fraud in 2018.
The Rise of BEC
The typical BEC – or CEO fraud – scheme starts with attackers stealing the email credentials of a top executive through phishing or other methods. Then they impersonate that executive, sending urgent messages to lower-level employees to transfer or wire money to bank accounts. In other cases, the attackers spoof a company's business partner.
David Stubley, who heads security testing firm and consultancy 7 Elements in Edinburgh, Scotland, tells Information Security Media Group, his company is seeing a global increase in BEC attacks, “both an increase in attempts to gain access, as well as an increase in successful compromise of individual accounts leading to monetary loss." He says organized crime gangs see these scams as an easy way to make money.
In January, reports surfaced that Chinese hackers stole $18.6 million from the Indian arm of Tecnimont SpA, an Italian engineering company, through an elaborate cyber fraud scheme that included impersonating the firm's chief executive.
"Attacks are becoming ever more sophisticated, and we have seen a number of threat actors using VPN solutions to not only masque their source IP, but more importantly to bypass country based filtering or alerting," Stubley says.
Hardest Hit U.S. Industries
Over the last several years, the construction and manufacturing industries in the U.S. have been especially hard hit BEC scams. The Treasury Department reports that these businesses accounted for a quarter of all reported incidents in 2018. Commercial services -such as shopping centers, entertainment facilities and lodging - along with real estate have also seen significant increases, according to the new report.
The types of BEC scams are also changing, the Treasury Department report found.
For instance, sending emails posing as the company CEO are giving way to scammers imitating vendors or passing along authentic-looking invoices or work orders in an attempt to collect fraudulent payments.
"Fake invoices are a very popular attack method beyond just BEC, undoubtedly due to the prevalence of legitimate invoices being sent daily. Malware very often uses invoices as the premise in phishing emails, often distributing malware that steals passwords. It's likely that some of these compromised accounts are a source of insider accounts used for BEC attempts," says Jonathan Tanner, a senior security researcher, Barracuda Networks.
Another reason for this shift? The new tactics can yield bigger profits.
"Potential for greater financial gain has likely led perpetrators of BEC fraud to use fraudulent vendor invoices when targeting certain industries. The average transaction amount for BECs impersonating a vendor or client invoice was $125,439, compared with $50,373 for impersonating a CEO," according to the Treasury Department report.
One reason why BEC scams are increasing and becomes more lucrative, especially in certain industries, is that while security teams have hardened applications and hardware against attacks, employees remain the weakest point of any company. Armed with data from previous breaches, it's not difficult for scammers to craft personalized emails and documents that target workers, Nathan Wenzler, the senior director of cybersecurity at Moss Adams, a Seattle-based consultancy, tells ISMG.
"This means higher attack success rates, more compromised systems and more financial gain for criminals," Wenzler says. "Until organizations put as much effort into training their users on a regular basis and building a stronger culture of security throughout the company, these attacks will continue to be successful and compromises will continue to happen."
Rick Holland, CISO and vice president of strategy at Digital Shadows, a San Francisco-based security firm, notes that investigators can draw a straight line between the type of phishing scams that gather personal data and credentials and the increase of BEC schemes that target employees and businesses.
"If a cybercriminal gains access to a corporate email account, the type of information they can access is perfect for conducting a BEC campaign," Holland says. "Contracts, invoices and purchase orders will all be stored in these inboxes. However, the sad reality is that many of these inboxes are already exposing this type of sensitive information that can enable BEC. As the return on investment from acquiring such sensitive information are so high, cybercriminals are actively collaborating with each other to target specific companies."
As the number and frequency of BEC scams increase, U.S. law enforcement has seen an increase in related charges and convictions.
In April, a 31-year-old Maryland man was sentenced to more than seven years in federal prison for his leadership role in a BEC scheme that netted $4.2 million from 13 victims over a two-year period (see: Maryland Man Sentenced for Leading $4.2 Million BEC Scheme ).
The Treasury Department report notes that 73 percent of these fraud scams in 2017 could be traced to a domestic scammer, while 27 percent originated overseas, with money being transferred outside the U.S.
In many cases, the scammers use "money mules" as third parties to collect the stolen funds and transfer the cash to their accounts, the Treasury report finds. One reason that scammers can keep their distance from a victim is that gathering information on employees has become increasingly automated, says Mark Chaplin, principal at the Information Security Forum, a not-for-profit cybersecurity and risk management organization.
"Criminals can target and attack organizations from a distance, maintaining a low level of risk while they exploit increasing amounts valuable information obtained through social media," Chaplin says. "Reconnaissance has become trivial through greater automation, leading to small and medium-sized organizations now being targeted."