FBI Issues Warning About The Business Email Compromise

The Business Email Compromise (BEC) is a scam perpetrated by scammers who, using social engineering tactics, pose as company executives or trusted vendors to lure employees at their targeted companies to transfer funds to the scammers. The FBI first began tracking the (BEC) in 2013 and the scam has gotten bigger and bigger each year. The FBI reports that between October 2013 and December 2023 there were 305,033 incidents of the BEC domestically and internationally with losses pegged at $55,499,915,582.

Ic3Business Email Compromise: The $55 Billion Scam

The BEC is an equal opportunity scam, targeting both small businesses and large corporations with incidents being reported in every state and 186 countries.

Ic3Business Email Compromise: The $55 Billion Scam

How the Scam Works

Like so many scams and data breaches, the BEC starts with a phishing or more specifically targeted socially engineered spear phishing email to a targeted company employee that lures the employee into either downloading an attachment or clicking on a link that downloads malware that enables the cybercriminal to infiltrate the computer networks of the targeted company. These initial emails to the targeted company employee have become increasingly convincing through the use of AI which enables the cybercriminal to gather information as to who they should target as well as obtain information to personalize the email and make it more convincing. Once the computer networks of the targeted company have been breached, the cybercriminals are able to harvest information to use to formulate convincing emails that appear to be from a high ranking company executive sent to an employee with the authority to wire funds directing the employee to wire money to an account that appears to be legitimate, but is actually controlled by the cybercriminal. Often the email may actually come from the account of the CFO or other officer from whom the email appears to originate because the cybercriminal has managed to hack and take over the account of the high ranking executive. As part of the money laundering process these funds often make their way through banks in the United Kingdom, Hong Kong, China, Mexico and the UAE.

Ic3Business Email Compromise: The $55 Billion Scam

New Developments

Like all scams, the BEC has evolved as technology has evolved and in one of the more recent developments, rather than the funds having to be laundered from bank to bank, the cybercriminal directs the funds to be wire to a cryptocurrency custodial account where the funds are immediately converted to difficult to follow cryptocurrencies.

Ic3Internet Crime Complaint Center (IC3) | Rise In Use of Cryptocurrency In Business Email Compromise Schemes

In another AI related evolution of the BEC, deepfake and voice cloning technology is being used to perpetrate the scam. In 2019 the Wall Street Journal reported the first incident of this type of BEC where the CEO of a UK energy firm transferred $243,000 in response to a phone call in which he thought he was speaking with the CEO of his company’s German parent company.

A year later, as reported in Forbes, a voice cloning technology was again used to convince a branch manager of a Japanese company to wire $35 million to BEC scammers.

ForbesFraudsters Cloned Company Director’s Voice In $35 Million Heist, Police FindBy Thomas Brewster

Judging by the increased numbers of incidents of the BEC it appears that many companies are not taking the necessary steps to protect themselves from this crime even though the protocols companies should be putting in place are not particularly costly, such as establishing an approval process for large transactions that would require two or more executives to sign off on large wire transfers; the use of multiple means of communication to verify requested wire transfers and confirmation by phone for requests for wire transfers coming through emails and confirmation by emails for requests for wire transfers coming by phone.

Finally, one of the best things that all companies should do to protect themselves from all manner of scams and cybercrimes is to increase their employee education as to how social engineering works to learn how to recognize it and not fall victim to it.