An in-depth investigative study by the Better Business Bureau (BBB) finds that business email compromise scams are skyrocketing in frequency and have cost businesses more than $3 billion since 2016.
Business email compromise fraud is an email phishing scam, sometimes called “spear phishing,” that typically targets people who pay bills in businesses, government and nonprofit organizations. It affects both big and small organizations, and it has resulted in more losses than any other type of fraud in the U.S., according to the FBI.
The investigative study – “Is That Email Really From ‘The Boss?’ The Explosion of Business Email Compromise (BEC) Scams” – looks at the prevalence of BEC scams and the criminal systems that perpetrate them. It digs into the scope of the problem, who is behind it, the fight to stop it and the steps consumers can take to avoid it.
BEC fraud takes many forms, but in essence, the scammer poses as a reliable source who sends an email from a spoofed or hacked account to an accountant or CFO, asking them to wire money, buy gift cards or send personal information, often for a plausible reason. If money is sent, it goes into an account controlled by the con artist.
The FBI recognizes at least six types of activity as BEC or email account compromise (EAC) fraud, which differ based on who appears to be the email sender – a CEO asking the CFO to wire money to someone, a vendor or supplier requesting a change in invoice payment, executives requesting copies of employee tax information, senior employees seeking to have their pay deposited into a new bank account, a clergyman asking the recipient to buy gift cards on their behalf, even a realtor or title company redirecting proceeds from a real estate sale into a new account.
This serious and growing fraud has tripled over the last three years. In 2018, 80% of businesses received at least one of these emails. From 2016 through May 2019, the Internet Crime Complaint Center (IC3) received 58,571 complaints on BEC fraud, with reported losses in the U.S. totaling $3.1 billion. BBB’s report finds that the average BEC loss involving wire transfers is $35,000, while the average loss involving gift cards is $1,000 to $2,000. However, the cost to businesses can be much higher: Google and Facebook lost more than $100 million to BEC fraud before the perpetrator was arrested in 2017.
One real estate agent told BBB that on the closing date for a house she helped sell, the buyer received an email appearing to come from the agent, requesting that the buyer wire funds to a specified account, contrary to the agent’s instructions that the buyer bring a certified check to the closing. While the agent did not send the email nor was it from her true email address, the amount requested was the actual closing price of the house, and an attached PDF showed the letterhead of the real company handling the transaction; the account to which the money was to be wired was fake. The buyer did not comply and brought a certified check to the closing. Her company now warns clients to call the title company or real estate agent if they receive instructions to wire real estate closing money.
According to BBB’s report, the majority of defendants who have been arrested or charged for BEC fraud in the U.S. over the last three years are of Nigerian origin. The report says 90% of BEC groups operate out of Nigeria, with other Nigerian fraud groups operating from the U.S. and Canada. In breaking down the anatomy of a BEC scam, the report notes that fraud gangs need the names of people within an organization, their job function and their email username and password, often obtained with illicit open source tools or free trials or lead generation services; that they must send emails directly to people, impersonating a trusted superior or partner and seeking money, which they can accomplish with a fake email address or domain name or by hacking a real person’s email account; and that they need a way to obtain money sent by victims, often via money mules, as detailed in a February 2019 BBB study about romance scam victims who become money mules.
Active efforts are being made to fight BEC fraud. On August 22, 2019, 80 defendants, believed to be responsible for at least $6 million in losses, were indicted in Los Angeles for BEC fraud in a major effort led by the FBI. On September 10, 2019, a worldwide law enforcement effort yielded 74 arrests for BEC-related fraud in the U.S., 167 in Nigeria and 40 in several other countries, with nearly $3.7 million in assets seized from the fraudsters. The U.S. Justice Department has brought at least 22 cases in the last three years, many as part of a collective enforcement effort dubbed “Operation Wire Wire,” named for BEC fraud’s common name among Nigerian fraudsters.
BBB urges businesses and other organizations to take technical precautions such as multi-factor authentication for email logins, along with verifying changes in information about customers, employees or vendors.
Read the full study at bbb.org/becstudy.