Threat Management

BEC scammers picked off $5B, FBI says

Business E-mail Compromise (BEC) scams have now raked in a total of $5 billion, according to the Federal Bureau of Investigation (FBI).

That's a bump up from the $3.1 billion reported last year.

The FBI report revealed 40,203 domestic and international incidents occurred from October 2013 to December 2016 with 22,292 U.S. victims. Total losses in the U.S. were nearly $1.6 billion.

The statistics tracked with findings by Proofpoint, which found a 45 percent increase in BEC attacks during the final three months of 2016 over the prior three months. In comments sent to SC Media, Proofpoint stressed that there “no correlation between the size of the company and the BEC attack volume,” noting that companies of all sizes are targets.

Proofpoint research also showed that two-thirds of the attacks “spoofed their email address so that their fraudulent emails displayed the same domain as that of the company targeted in the attack.” Attackers have used this domain spoofing to mask their own email addresses and make the recipient think the missive has come from a familiar source. Most of the subject lines – 70 percent – contain the words “Urgent,” “Payment,” and/or “Request.”

The security firm warned that although attackers continue to impersonate CEOs, they're working their way deeper into companies. “There is a shift beyond simply fraudulent CEO-to-CFO BEC attacks to CEO-to-different employee groups,” Proofpoint noted. “For example, to accounts payable, for wire transfer fraud attempts, to human resources for confidential tax information and identities—and engineering for intellectual property theft.” 

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.