On June 14, 2016, the Federal Bureau of Investigation (FBI) issued a Public Service Announcement on the increase of Business E-mail Compromise (BEC) scams that gave an in-depth summary of what the scam is, who is at risk, how the scam is executed, how to protect your business, and what to do if you are a victim.
What is the BEC scam?
This sophisticated scam targets businesses working with foreign suppliers and/or businesses that regularly perform wire transfer payments. The scam is executed by compromising business e-mail accounts through social engineering or other intrusion techniques.
The FBI reports that there has been a 1,300% increase in reported losses since January 2015.
Who is at risk?
The BEC scam targets businesses of all sizes. Some victims have reported that Scareware or Ransomware attacks occurred immediately before the BEC incident. Generally, these attacks were carried out through a phishing scam that contained a malicious link.
How is the scam executed?
The FBI has identified five scenarios in which the BEC scam is carried out.
- Data Theft – fraudsters gain access to a business executive’s e-mail account and send out e-mails to employees that have access to W-2’s or other documents that contain personally identifiable information. The fraudster uses this information to gain access to employee accounts and carry out the wire transfer.
- Foreign Supplier Request – a business receives a fraudulent request from a supplier to wire funds for an invoice payment. The request may be received via telephone, facsimile, or e-mail and appears legitimate.
- Business Executive Request – similar to scenario one, the fraudster gains access to a business executive’s e-mail account and requests a wire transfer from a second employee who normally processes these requests.
- Business Contact Request – fraudsters gain access to an employee’s personal e-mail account and sends requests for invoice payments to vendors identified in the employee’s contact list.
- Business Executive and Attorney Impersonation – businesses receive communication from fraudsters who identify themselves as executives or lawyers via either phone or e-mail. The fraudsters pressure the employees to act quickly or secretly in handing the transfer of funds.
How can I protect my business?
Being aware and understanding the BEC scam is the first step to protecting yourself. The FBI encourages businesses to deploy robust internal prevention techniques. Other prevention techniques include:
- Avoid web-based e-mail accounts
- Be cautious in posting job duties/descriptions on social media and company websites
- Be suspicious of requests to act quickly or secretly
- Consider additional IT and financial safety procedures
- Beware of sudden changes in business practices and always verify via other channels that you are still communicating with your legitimate business partner
I believe I am a victim of BEC. What should I do?
If you believe you are a victim of the BEC scam, it is important to immediately notify your financial institution, your local FBI office, and file a complaint at www.IC3.gov.
We suggest that you read the full public service announcement at: http://www.ic3.gov/media/2016/160614.aspx.