Email-based attacks are more than spam and phishing. Business email compromise scams bilked more than a billion dollars from victims in 2018, according to the Federal Bureau of Investigation. The good news is that efforts to recover the funds have been somewhat successful.
Losses from business email compromise (BEC) scams reached $1.2 billion in 2018, almost double the adjusted losses of $675 million in 2017, the FBI’s Internet Crime Complaint Center (IC3) said in its annual Internet Crime Report. Internet-enabled theft, fraud, and exploitation accounted for $2.7 billion in financial losses in 2018, and BEC scams were by far the most financially costly incidents last year.
The amounts in the report reflect the incidents that were reported to IC3. Many victims are unaware they can report online scams to IC3, which means the total losses from Internet-enabled theft and fraud would be even higher.
BEC refers to scams where attackers send email messages look as if they came from a specific employee at a business in order to trick victims into sending money via transfers. The scams work because the requests typically come from accounts that are familiar to the victims. Attackers may also ask victims to change an existing transaction to send the funds to a different account.
In the past, the scams began with compromising or spoofing the email accounts of the organization’s executive officers (such as the CEO or CFO), but now scammers are just as likely to masquerade as real estate agents, lawyers, and vendors.
“Through the years, the scam has seen personal emails compromised, vendor emails compromised, spoofed lawyer email accounts, requests for W-2 information and the targeting of the real-estate sector,” the FBI said in the report.
There was also an increase in the number of scams instructing victims to purchase gift cards adding up to the total amount needed, the IC3 said. The initial requests came from spoofed emails, phone calls, or even text messages, and the victim would provide the gift card numbers.
The growing number of BEC scams prompted the FBI to set up the Recovery Asset Team in February 2018 to help businesses reporting fraudulent domestic transfers. The goal was to streamline communications between the investigators and financial institutions in order to freeze suspicious wire transfers before they reach the recipients. Over 11 months, the team handled 1,061 incidents causing losses of more than $257 million, and successfully recovered more than $192 million, the report said.
Success stories include recovering over $1 million transferred by a New Jersey town to a fraudulent account and $50,000 for a New York home buyer who thought the wire transfer instructions came from the closing agent during a real estate transaction. In a Florida case the victim was instructed to send the money to a Bronx, NY account, and the FBI worked with the bank to arrest the owner of the account when the individual showed up at the bank to withdraw the funds.
"A recovery rate of 75% shows how critical law enforcement cooperation can be when attempting to recuperate stolen funds," wrote Harrison Van Riper, a strategy and research analyst at Digital Shadows.
Payroll diversion, where criminals change the employee’s direct deposit information to point to a different account, resulted in a loss of $100 million in 2018. Criminals phish payroll login credentials from employees in order to add a different bank account or prepaid card. They may add rules to prevent the employee from being notified about the changes. The FBI was able to work with a “majority charity” on a payroll diversion case that resulted in a loss of $140,000, the report said.
"Whereas BEC fraud averaged almost $59,000 per incident according to the IC3’s statistics, payroll diversion averaged $1 million," Van Riper wrote.
Organizations in education, healthcare, and commercial airway transportation have been affected.
IC3 received 351,936 complaints in 2018, and the most frequently reported complaints were for non-payment/non-delivery scams, extortion, and breaches of personal data.