Business email compromise (BEC) scams cost U.S. victims nearly $750 million and impacted more than 7,000 people between October 2013 and August 2015, according to the Federal Bureau of Investigation (FBI).
Globally, attackers scammed non-U.S. companies out of more than $50 million and affected more than 1,000 people. The attacks were reported in all 50 states and in 79 countries, the FBI announcement said, and there was a 270 percent increase in identified victims and exposed loss since January 2015. Fraud transfers were reported in 72 countries but the majority of transfers went through Asian banks in China and Hong Kong.
The FBI noted that there has been an increase of computer intrusions linked to BEC scams. Attackers will often send phishing emails, from seemingly legitimate sources, instructing the victim to click on a malicious link. Upon clicking the link the user downloads malware to their device offering unfettered access to the victim's credentials, the announcement said.
Criminals focused on businesses working with foreign suppliers or those that regularly performed wire transfer payments in an effort to compromise legitimate email accounts so they could conduct unauthorized money transfers. In some cases, scammers targeted businesses that used checks to commit the fraud as well.
Fraudsters often identified themselves as lawyers, or other types of legal representatives in the text of phishing emails and claimed to be handling confidential or time sensitive matters. They usually instructed the victims to act quickly or in secrecy when transferring funds.
Christopher Hadnagy, chief human hacker at Social-Engineer, LLC, told SCMagazine.com that businesses should perform frequent social engineering penetration tests via email and even phone to identify vulnerabilities in the human element of security.
“A penetration test is like stepping into a practice ring so that when you step out into the real world you know how to take a hit,” Hadnagy said.
He added that testing should key on educating companies and their employees about weaknesses -- rather than on exposing vulnerabilities. Employees must learn to recognize phishing attempts and safeguard against them.
Responding to the report, Stu Sjouwerman, founder and CEO of KnowBe4, said Friday in a statement on his company website that organizations should “have a dual-step process in place for bank wires, always verified by phone with trusted parties.”