Business email compromise (BEC), also known as “CEO fraud,” “W2 fraud,” or email account compromise (EAC) is a more targeted and damaging form of phishing, where the primary attack vector is to either hijack or “spoof” the email account of an executive or other position of power within a company or organization. The end goal is typically to convince an employee of the company to wire money.
In the FBI’s annual Internet Crime Report, BEC scams accounted for $1.7 billion of the $3.5 billion in the reported money lost to online scams.
“The back-of-the-napkin math isn’t pretty. Taking into account unknowables, we’re talking about a ballpark cost of roughly $75,000 per BEC-related complaint,” says CyberScout founder and chairman Adam Levin.
“That is exponentially more expensive than other cyber events. Consider that the average cost for a ransomware attack against a business is about $4,400, and your run of the mill phishing incident weighs in at a much less hefty $500. Perhaps most importantly, the FBI report’s 2019 numbers are a significantly higher figure than the reported $1.3 billion in BEC scam-related losses the year before.”
“BEC/EAC is constantly evolving as scammers become more sophisticated…BEC/EAC scams routinely began with the hacking or spoofing of the email accounts of chief executive officers or chief financial officers, and fraudulent emails were sent requesting wire payments be sent to fraudulent locations. Over the years, the scam evolved to include compromise of personal emails, compromise of vendor emails, spoofed lawyer email accounts, requests for W-2 information, the targeting of the real estate sector, and fraudulent requests for large amounts of gift cards,” stated the FBI report.
In response to the rising number of BEC cases, the U.S. government has formed the Recovery Asset Team (RAT) through the Internet Crime Complaint Center (IC3) to help victims recover stolen funds. In its first full operational year, RAT managed to recover over $304 million of $384 million reported stolen in 1,307 incidents in 2019. Despite a relatively high success rate, Levin encourages businesses and organizations to still practice extreme caution.
“[D]on’t let the 79% recovery rate lull you into a false sense of security,” says Levin. “The loss of time, worker focus and business opportunities can be catastrophic is the aftermath of an attack, and is yet another reason no company should be without a robust cyber insurance policy in place.”
The FBI and IC3 released a checklist for organizations to follow in the event of a BEC:
- Contact the originating financial institution once fraud is identified.
- Filed a detailed complete with IC3.
- Follow up regularly on the IC3 website for announcements regarding BEC trends.
- Verify any payment charges with intended recipients.
- Continue to file reports with law enforcement.
“In a work environment where the dangers are manifold and more or less non-stop, a cultural shift needs to happen. We need to always assume that a scam may be afoot, and proceed accordingly. Our motto: ‘Distrust AND verify.’ A culture of caution has never been more important,” says Levin.